Australia’s cyber intelligence agency said on Saturday that “malicious websites and unofficial code” were being released online claiming to aid recovery from Friday’s global digital outage, which hit media, retailers, banks and airlines.
Australia was one of many countries affected by the outage that caused havoc worldwide after a botched software update from CrowdStrike.
The Australian Signals Directorate (ASD) – the country’s cyber intelligence agency – said “a number of malicious websites and unofficial code are being released claiming to help entities recover from the widespread outages caused by the CrowdStrike technical incident”.
On its website, the agency said its cybersecurity centre “strongly encourages all consumers to source their technical information and updates from official CrowdStrike sources only”.
Security experts said CrowdStrike’s routine update of its widely used cybersecurity software apparently did not undergo adequate quality checks before it was deployed.
The latest version of its Falcon Sensor software was meant to make CrowdStrike clients’ systems more secure against hacking by updating the threats it defends against. But a faulty code in the update files resulted in one of the most widespread tech outages in recent years for companies using Microsoft’s Windows operating system.
CrowdStrike released information to fix affected systems, but experts said getting them back online would take time as it required manually weeding out the flawed code.
“What it looks like is, potentially, the vetting or the sandboxing they do when they look at code, maybe somehow this file was not included in that or slipped through,” said Steve Cobb, chief security officer at Security Scorecard, which also had some systems impacted by the issue.
Problems came to light quickly after the update was rolled out on Friday, and users posted pictures on social media of computers with blue screens displaying error messages. These are known in the industry as “blue screens of death.”
Patrick Wardle, a security researcher who specialises in studying threats against operating systems, said his analysis identified the code responsible for the outage.
The update’s problem was “in a file that contains either configuration information or signatures,” he said. Such signatures are code that detects specific types of malicious code or malware.
“It’s very common that security products update their signatures, like once a day … because they’re continually monitoring for new malware and because they want to make sure that their customers are protected from the latest threats,” he said.
The frequency of updates “is probably the reason why [CrowdStrike] didn’t test it as much,” he said.
It is unclear how that faulty code got into the update and why it was not detected before being released to customers.
“Ideally, this would have been rolled out to a limited pool first,” said John Hammond, principal security researcher at Huntress Labs. “That is a safer approach to avoid a big mess like this.”
Other security companies have had similar episodes in the past. McAfee’s buggy antivirus update in 2010 stalled hundreds of thousands of computers.
Adding to the disruption, Microsoft experienced a separate and apparently unrelated problem with its Azure cloud service on Thursday that lasted for several hours. On Friday afternoon, the company said in a post on X that all Microsoft 365 apps and services had been restored.
The catastrophic failure underscores an increasingly dire threat to global supply chains: The IT systems of some of the world’s biggest and most critical industries have grown heavily dependent on a handful of relatively obscure software vendors, which are now emerging as single points of failure. In recent months, hackers have exploited this phenomenon, targeting vendors to bring down entire sectors and governments.
The global impact of this outage reflects CrowdStrike’s dominance. Over half of Fortune 500 companies and many government bodies such as the top US cybersecurity agency itself, the Cybersecurity and Infrastructure Security Agency, use the company’s software.
“This will be the largest IT outage in history,” said Troy Hunt, an Australian security consultant and creator of the hack-checking website Have I Been Pwned. “We’re really only starting to see the tip of the iceberg.”
