CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

Share post:

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike Falcon update that bricked an estimated 8.5 million corporate PCs and servers around the world. At the same time Microsoft released a recovery tool over the weekend to help IT leaders automate recovery from what for some organizations was a devastating systems collapse. And CrowdStrike is testing a new technique it says will to accelerate impacted system remediation.

“We understand the gravity of this situation and are deeply sorry for the inconvenience and disruption,” CrowdStrike said in a statement on the failure, called by some the largest IT outage in history.

The company and cybersecurity experts also warned that threat actors are already taking advantage of the upheaval to push alleged CrowdStrike remediation solutions through phishing emails.

“Threat actors continue to use the widespread IT outage for phishing and other malicious activity,” warned the U.S. Cybersecurity and Infrastructure Security Agency. “CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.”

Microsoft offered two repair options that start with downloading a recovery tool:

–recover with WinPE (Windows Presentation Environment, a lightweight version of the OS admins use for deployment of PCs), which produces a removable boot media that will help facilitate device repair.

Microsoft recommends this option. This option quickly and directly recovers systems and does not require local admin privileges. However, if Windows’ BitLocker encryption is used on the device IT may need to manually enter the BitLocker recovery key and then repair impacted systems. Environments with a third-party disk encryption solution will have to refer to vendor guidance to determine options to recover the drive so that the remediation script can be run from WinPE;

–and a process for recovery through Windows Safe Mode, which produces boot media so impacted devices can boot into safe mode. An administrator can then log in using an account with local admin privleges and run the remediation steps.

This option may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys, says Microsoft. For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown. However, if utilizing TPM+PIN BitLocker protectors, the user will either need to enter the PIN if known, or the BitLocker recovery key must be used.

If BitLocker is not enabled, then the user will only need to sign in with an account with local administrator rights. If third-party disk encryption solutions are utilized, please work with those vendors to determine options to recover the drive so the remediation script can be run.

“As with any recovery option,” Microsoft cautions, “test on multiple devices prior to using it broadly in your environment.”

Note that some PCs and servers that can’t connect to a USB drive may have to be re-imaged.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways