• The CompTIA Cybersecurity Programs Team would like to thank you for an incredible year and wish you a
    Happy 2025!
    CompTIA offices will be closed from December 24, 2024, through January 1, 2025. During this time, the Cybersecurity Programs Team will check the approval queue once daily. Our Platform Partner, IT-ISAC will monitor and respond but will only post items requiring immediate action.
    For urgent matters, please tag Lisa Person or Wayne Selk in the thread.
    **The Cybersecurity Trustmark Cyber Success Calls will resume Jan. 6, 2025.
INFORMATIONAL SEVERITY HIGH TLP GREEN
Summary:

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes

Impact:
Windows hosts are being stuck in a boot loop or experiencing bugcheck/blue screen errors related to the Falcon Sensor. Several organizations and services across the world have been impacted, including airports, airlines, banks, hospitals, as well as 911 services.

Mitigation:
The root cause has been associated with a Channel File, which contains data for the Falcon sensor. CrowdStrike has reverted the Channel file. Note: Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version. Hosts booted up after 5:27 AM UTC should not be experiencing any issues. If hosts are still crashing and unable to stay online to receive the Channel File Changes, CrowdStrike recommends:
  • Boot Windows into Safe Mode or the Windows Recovery Environment. NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Boot the host normally. Note: Bitlocker-encrypted hosts may require a recovery key.
CrowdStrike Statement:
https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
 
Why were systems running Windows 3.1 spared?
I believe it was before certain networking feature were available. The reports that some companies "Southwest" were using 3.1 has been proven inaccurate. 3.1 would be Windows 95. The post that companies were spared that were using 3.1 was a joke tweet that started getting spread.
 
  • Like
Reactions: Dave Kellett
1721927179979.png
 
  • Like
Reactions: Dave Kellett
I appreciate the information. I agree it was because they weren't using CrowdStrike. What is the future of CrowdStrike now? I saw they're latest advertisement and it doesn't help to make you more trusting of their offerings given this latest hack?
It wasn't really a hack it was a misconfiguration that cause the Windows computers to crash (BSOD) although it is just a preview of Year 2038 bug Unix bug for things that have not been updated since the 1970's
 
  • Like
Reactions: Lisa Person
I believe it was before certain networking feature were available. The reports that some companies "Southwest" were using 3.1 has been proven inaccurate. 3.1 would be Windows 95. The post that companies were spared that were using 3.1 was a joke tweet that started getting spread.
any Windows operating system running before 2008 (Vista/Windows 2008) did not have UAC although it was a joke tweet/post that spread.