The page includes technical information about what caused the outage, which systems were affected, and a statement from CEO George Kurtz. It contains links to Bitlocker key recovery processes and also to several third-party vendor pages on how to handle the outage.
The page points to a knowledge base article (which only logged in customers can access) for using a bootable USB key. Microsoft yesterday released a tool that automatically deletes the problematic channel file that caused machines to blue screen.
CrowdStrike too published a blog yesterday warning that threat actors have taken advantage of the situation to distribute malware, using “a malicious ZIP file called crowdstrike-hotfix.zip”.
The ZIP file contains a HijackLoader payload that, when executed, carries RemCos. Notably, the Spanish filenames and instructions in the ZIP file indicate that this campaign is likely targeting CrowdStrike customers based in Latin America (LATAM).
Following the content update issue, several typosquatting domains impersonating CrowdStrike were identified. This campaign marks the first observed case where a threat actor capitalized on the Falcon content issue to distribute malicious files targeting CrowdStrike customers based in Latin America.
CrowdStrike says organizations should only work directly with CrowdStrike representatives using official channels and should only use guidance provided by their support team.