CrowdStrike and Microsoft Incident

Dear customers,

A worldwide outage is currently affecting computers and virtual machines equipped with the CrowdStrike Falcon security suite.

The incident is linked to a faulty update of the CrowdStrike software.

Indicators include “blue screens” linked to the CS Falcon sensor and restarts.

Since last night, our Security Operation Center (SOC) has activated its crisis unit, in conjunction with our partners Microsoft and CrowdStrike.

For our CrowdStrike customers, your Virtual Guardian team keeps a close eye on the situation to detect any suspicious events or behavior. Indeed, as the CrowdStrike Falcon solution is deactivated, this represents an opportunity for hackers to launch attacks as and when the solution is reconnected, updated, or even temporarily
removed.

Our teams have been contacting all our customers since 03:00 am EST to check with each of them the possible impact of the outage and offer assistance in resolving the incident.

In particular, CrowdStrike has provided us with the list of equipment affected by the failure at our customers’ sites, as not all our customers are affected by this event. CrowdStrike has, in fact, stopped this update following the failure.

Recommended procedure for solving the problem:

Below, we suggest two procedures depending on your situation.

If you have the Bitlocker solution:

1. Restart the affected PC until you reach the Windows recovery screen.
   
2. Select Troubleshooting > Advanced options >Startup options.
   
3. Press restart.
   
4. Press Esc to skip the prompt asking for the BitLocker recovery key.
   
5. Skip the second prompt to enter your BitLocker key by selecting Ignore this drive in the bottom right-hand corner.
   
6. Select Troubleshooting > Advanced Options > Command prompt.
   
7. Type: “bcdedit /set {default} safeboot minimal” and press Enter.
   
8. Type Exit to close the window and press Continue in the recovery interface.
   
9. The PC will restart in safe mode.
   
10. Log in as usual with your login details
    
11. Open File Explorer to C:\Windows\System32\drivers\Crowdstrike
    
12. Delete file starting with C-00000291 with .sys extension.
    
13. Open a command prompt as administrator.
    
14. Type “bcdedit /deletevalue {default} safeboot” and press enter.
    
15. Reboot and your PC is up and running again.

If this is not the case, please find enclosed the procedure communicated by CrowdStrike:

Procedure CS
Windows crashed 2.pdf

Issues with the Microsoft administration console:

In parallel with this major event, Microsoft is reporting a major service degradation related to the Azure 365 administration console.

These two events are distinct, but each requires special attention.

To follow the progress of this other incident, please find attached the link to the information and support center of our partner Microsoft: Microsoft service health status (cloud.microsoft)

https://status.cloud.microsoft/

Mr Tommy Koorevaar
Director, Security Operations Center