To better understand what happened, the response to the incident, and its consequences, we provide a timeline of the events related to the failed CrowdStrike update, which caused many computers to experience the dreaded blue screen of death (BSOD). We will analyze the impact across various industries and regions, as well as the measures taken before and after the incident. We will also explain the attacks that exploited the vulnerability in the affected Windows systems.
Incident Timeline
Pre-Deployment Development and Implementation Phase
Crisis Phase
Global Impact
Affected Sectors
Air Transportation
A total of 5,078 flights were canceled globally, affecting airlines such as American Airlines, Delta Air Lines, United Airlines, Copa Airlines, Viva Aerobus, and Vueling. Airports in Sydney, Hong Kong, Panama, Mexico, Spain (AENA), and other locations faced significant disruptions.
Finance
Global banks such as Commonwealth Bank, Capitec, and several in Europe and the United States experienced service disruptions, affecting transactions and account access. Specifically in Spain, banks like BBVA, Santander, and Unicaja also experienced significant service interruptions.
Government
Various government agencies in the U.S., Canada, and Europe reported failures in their systems. The Washington, D.C. public transport system and the New York Metropolitan Transportation Authority were also affected.
Healthcare
Numerous hospitals in North America and Europe suspended surgeries and non-urgent visits due to lack of access to patient records. NHS in the UK and other healthcare systems experienced disruptions.
Media and Communications
Television stations such as Sky News and CBC faced disruptions in their broadcasts. Vodafone and other telecommunications companies also reported issues.
Other Industries
Gas stations such as Repsol in Spain, Woolworths supermarket in Australia, and the Danish railway company DSB also faced difficulties providing their services.
Financial Implications
Response and Recovery
Immediate Measures and Resilience Improvement
CrowdStrike launched a series of updates and temporary solutions to mitigate the issues. Performance monitoring of the sensor and system was enhanced, and detailed instructions were provided to customers to resolve the problems.
CrowdStrike published a report outlining measures to prevent future incidents, including:
- Rapid Response Content Testing: Implementation of more rigorous testing, such as stress testing, fuzzing, and fault injection.
- Additional Validation: Adding extra checks to the Content Validator.
- Improved Error Handling: Enhancing error handling in the Content Interpreter.
- Staggered Implementation: A gradual deployment strategy for content updates.
Microsoft blames the EU
Microsoft blamed the European Union for the computer failure, arguing that an agreement with the European Commission in 2009 prevented them from making necessary changes to the system's security, specifically blocking access to the system's kernel. According to Microsoft, this agreement forced them to allow the installation of multiple security providers, contributing to the massive failure.
Post-Incident Attacks
It has been proven that in data centers using Windows operating systems that are not hosted in the cloud, it is essential to have remote KVM-over-IP control systems. This allows remote management and monitoring of servers by accessing BIOS functions, facilitating remote administration and reducing the need for physical intervention, which is crucial to maintaining the operability and security of the infrastructure.
In light of such situations, the importance of having a reliable cybersecurity provider becomes evident. These issues are not isolated events; throughout history, we have seen how similar failures can lead to significant disruptions across multiple sectors and regions, affecting everything from air transportation to healthcare and finance. These precedents reinforce the idea that such events have not only occurred but could occur again if proper precautions are not taken.
