Planes grounded as mass worldwide IT outage hits airlines, media and banks

[Raj-Hindustani]

The Crowdstrike team has updated the logscale query; it will help to find the total number of impacted devices in their network.

Might it help those facing the issue and wants help:

// Get ConfigStateUpdate and SensorHeartbeat events
#event_simpleName=/^(ConfigStateUpdate|SensorHeartbeat)$/ event_platform=Win
// Narrow search to Channel File 291 and extract version number; accept all SensorHeartbeat events within impact window
| case{
#event_simpleName=ConfigStateUpdate | regex("\|1,123,(?<CFVersion>.*?)\|", field=ConfigStateData, strict=false) | parseInt(CFVersion, radix=16);
#event_simpleName=SensorHeartbeat | rename([[@timestamp, LastSeen]]);
}


| case{
#event_simpleName=ConfigStateUpdate | @timestamp>1721362140000 AND @timestamp < 1721366820000 | CSUcounter:=1;
#event_simpleName=SensorHeartbeat | LastSeen>1721362140000 AND LastSeen<1721366820000 | SHBcounter:=1;
*;
}
| default(value="0", field=[CSUcounter, SHBcounter])
// Make sure both ConfigState update and SensorHeartbeat have happened
| selfJoinFilter(field=[cid, aid, ComputerName], where=[{ConfigStateUpdate}, {SensorHeartbeat}])
// Aggregate results
| groupBy([cid, aid], function=([{selectFromMax(field="@timestamp", include=[CFVersion])}, {selectFromMax(field="@timestamp", include=[@timestamp]) | rename(field="@timestamp", as="LastSeen")}, max(CSUcounter, as=CSUcounter), max(SHBcounter, as=SHBcounter)]), limit=max)
// Perform check on selfJoinFilter
| CFVersion=* LastSeen=*
// Calculate time between last seen and now
| LastSeenDelta:=now()-LastSeen
// Optional threshold; 3600000 is one hour
| LastSeenDelta>3600000
// Calculate duration between last seen and now
| LastSeenDelta:=formatDuration("LastSeenDelta", precision=2)
// Convert LastSeen time to human-readable format
| LastSeen:=formatTime(format="%F %T", field="LastSeen")
// Enrich aggregation with aid_master details
| aid=~match(file="aid_master_main.csv", column=[aid])
| aid=~match(file="aid_master_details.csv", column=[aid], include=[FalconGroupingTags, SensorGroupingTags])
// Convert FirstSeen time to human-readable format
| FirstSeen:=formatTime(format="%F %T", field="FirstSeen")


// Move ProductType to human-readable format and add formatting
| $falcon/helper:enrich(field=ProductType)
| drop([Time])
| default(value="-", field=[MachineDomain, OU, SiteName, FalconGroupingTags, SensorGroupingTags], replaceEmpty=true)
| case{
CSUcounter=0 AND SHBcounter=0 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was offline.";
CSUcounter=0 AND SHBcounter=1 | Details:="OK: Endpoint did not receive channel file during impacted window. Endpoint was online.";
CSUcounter=1 AND SHBcounter=1 | Details:="CHECK: Endpoint received channel file during impacted window. Endpoint was online. Endpoint has not been seen online in past hour.";
}

 

[MapleKing]

not old it was new it compiled and singed in July 9th, i think their production messed it up, in our org there is a saying never push any thing to production on Friday

You misunderstand. BSOD used to be a major issue back in the day. This is because drivers lived with Windows' kernel and could easily crash it. Modern drivers live with user programs which prevents them from easily crashing the kernel. I haven't had BSOD in years.

 

[神威98]

LOL. Which version of Windows is affected? My Windows 11 machine is banned from ever going online, I use Deepin Linux on a second partition for that. All my other machines run Win7/8.1 (un-resticted) are all fine as of today...

 

[Nan Yang]

The Microsoft Windows recovery screen displayed at a currency exchange kiosk during a worldwide systems outage at Hong Kong International Airport on Friday. Photo: Edmond So

Microsoft outage leaves China largely untouched as tech self-sufficiency campaign pays off

• The Windows error that resulted in a bluescreen on computers became a hot topic on Chinese social media platforms

Wency Chen in Shanghai, Coco Feng in Beijing and Che Pan in Beijing
Published: 7:23pm, 19 Jul 2024

The Microsoft Windows outage that affected foreign businesses and luxury hotels in China on Friday left the country’s key infrastructure, from airlines to banks, largely unaffected, according to industry sources and social media posts.

As of 6pm local time, there have been no reports in mainland China of infrastructure breakdowns, while many airports in the Asia-Pacific region, from Hong Kong to Australia, were hit with disruptions. The international airports in Beijing and Shanghai were operating normally, according to their websites.

At the same time, the Windows error that resulted in a bluescreen on computers became a hot topic on Chinese social media platforms such as Weibo, as many foreign business offices across the country were affected by the breakdown.


Travelers queue at check-in counters for Hong Kong Express Airways at Hong Kong International Airport on Friday, after a worldwide systems outage. Photo: Bloomberg

A Shanghai-based staffer from a foreign company told the Post that her office started to experience computer crashes early Friday afternoon, and that almost everyone was affected. This employee’s laptop display was stuck on a blue screen with the message, “Recovery. It looks like Windows didn’t load correctly.”

The company’s information technology support then instructed everyone to shut down their computers, wait for further instructions and use mobile apps for instant messaging. The employee’s accounting work was subsequently delayed by the outage. “This month’s [financial] report will be late,” according to the staffer.

An employee from another foreign firm also reported experiencing blue screens around 1pm. While some of the employees could later restart their computers, they still could not access the company’s website, which displayed a “502 Bad Gateway” error. The company told staff that “global IT support has activated the highest level of response to address the issue”, according to the employee.

On Xiaohongshu, an Instagram-like Chinese social media platform, multiple users complained about the difficulty in checking into international franchise hotels such as Sheraton, Marriott and Hyatt in Chinese cities.

As China’s public services largely remained unaffected, Microsoft’s China website and social media channels did not issue any emergency notices. Microsoft did not immediately respond to a request for comment on Friday.

China’s relative immunity to the outage showed the country’s reduced reliance on foreign service providers such as Microsoft and the antivirus company CrowdStrike. In recent years, China has been rolling out a campaign across its government departments and key infrastructure operators to replace foreign hardware and systems with domestic ones.


The logo of cybersecurity firm CrowdStrike on a smartphone, arranged in Palma de Mallorca, Spain, July 19, 2024. Photo: Bloomberg

The outages were caused by a software update from cybersecurity giant CrowdStrike, which hit Windows-based systems worldwide. CrowdStrike CEO George Kurtz confirmed on Friday morning local time via the social media platform X that his company was working to resolve the problem.

The minimal impact of the Microsoft outage in China has proved that the country has made progress in achieving its goal of “safe and controllable” computing systems, according to one Chinese government employee.

On Weibo, Chinese netizens joked that Microsoft “has given them a half-day off”. One commenter said that “our company just switched to new computers with the HarmonyOS system, so we can’t join in your celebration”.

 

[KAAFIR]

Any information yet?

This is so frightening. If this happens with every machine we can get back to 16th century.

 

[Raj-Hindustani]

Any information yet?

This is so frightening. If this happens with every machine we can get back to 16th century.

It was already fixed yesterday.

Seriously! Media reactions are hilarious, they mostly talk BS on technical parts .

Around the world - IT infrastructure of the companies are struggling with after the affects.

Simple way if I explain this issue - crowd strike pushed a change, those devices received during the time - many got impacted.

Even crowstrike rolled back they changed but impacted was too high because once impacted, recovery process is tough and time taken

Example approx 450 servers are impacted in our network, azure servers are having different challenges, the fixed is provided by Microsoft support team - and other fe servers are having other issues - causing challenges.

Seriously - it is all manual troubleshooting process, it's hard time .... Process requires tempering the security protection - and it's involved risk during troubleshooting activity because need to Modify prevention policy on crowdstrike..... It means, server not fully protected during the process.

Top of that attackers has registered a lot of similar to crowdstrike related domains, trying to take the advantages.... Need to deal with them also by monitoring such activities

 

[KAAFIR]

It was already fixed yesterday.

Seriously! Media reactions are hilarious, they mostly talk BS on technical parts .

Around the world - IT infrastructure of the companies are struggling with after the affects.

Simple way if I explain this issue - crowd strike pushed a change, those devices received during the time - many got impacted.

Even crowstrike rolled back they changed but impacted was too high because once impacted, recovery process is tough and time taken

Example approx 450 servers are impacted in our network, azure servers are having different challenges, the fixed is provided by Microsoft support team - and other fe servers are having other issues - causing challenges.

Seriously - it is all manual troubleshooting process, it's hard time .... Process requires tempering the security protection - and it's involved risk during troubleshooting activity because need to Modify prevention policy on crowdstrike..... It means, server not fully protected during the process.

Top of that attackers has registered a lot of similar to crowdstrike related domains, trying to take the advantages.... Need to deal with them also by monitoring such activities

Just read a news on TOI. The issue hasn't solved Completely.
Second, many websites are hit on mobile devices too. Im not able to open many sites. Example, I was Just trying to book a hotel and checked online on booking.com, agoda, eastrip and other...but didnt open. Im attaching a ss.

 

[Raj-Hindustani]

Just read a news on TOI. The issue hasn't solved Completely.
Second, many websites are hit on mobile devices too. Im not able to open many sites. Example, I was Just trying to book a hotel and checked online on booking.com, agoda, eastrip and other...but didnt open. Im attaching a ss. View attachment 55845

Because servers are down. You will not be able to access it from any device

Even in my company - out of 2300 servers. Impacted approx750 servers, but mostly resolved automatically... Lucky we migrated 780 servers to MS defender recently.. So count is less.

Approx - ;450 servers were down on yesterday ( major impact), I am not counting workstations

today morning, still approx 142 servers are down. And mostly hosted on azure clouds and are public facing web servers.

 

[DF-41]

https://t.me/BellumActaNews/124498




Crowdstrike leadership. The company that has caused the IT blackout today. The competency crisis is now just part and parcel of life like Islamic terrorism and knife based diversity.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here the skools that produced them, and others like them.

I can imagine they hire others just like them

 

[Raj-Hindustani]

https://t.me/BellumActaNews/124498

View attachment 55855


Crowdstrike leadership. The company that has caused the IT blackout today. The competency crisis is now just part and parcel of life like Islamic terrorism and knife based diversity.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here the skools that produced them, and others like them.

I can imagine they hire others just like them

View attachment 55854

One incident find you to post this one.

But you forget - minds of such indian made this company a so big within 10 years...

Due to one bug & issue - stopped the world partially.

You forget to add - Microsoft CEO - Satya Nadella and Google Ceo - Sundar Pichai

These Indians planned together during their dinner at hotel.

 

[Musings]

https://t.me/BellumActaNews/124498

View attachment 55855


Crowdstrike leadership. The company that has caused the IT blackout today. The competency crisis is now just part and parcel of life like Islamic terrorism and knife based diversity.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here the skools that produced them, and others like them.

I can imagine they hire others just like them

View attachment 55854

What you achieving with posts like this? Look at the success of a nation too. Doing starfish jumps when something goes wrong is naive

 

[DF-41]

One incident find you to post this one.

But you forget - minds of such indian made this company a so big within 10 years...

Due to one bug & issue - stopped the world partially.

You forget to add - Microsoft CEO - Satya Nadella and Google Ceo - Sundar Pichai

These Indians planned together during their dinner at hotel.

Why do you feel so defensive about the very normal schooling in India?
You holding me responsible for what is taken for granted as to the educational system of India?

Very well known about in the whole world.

And by the way, I written good things about India and the genius India produced such as Ramanujan https://defencepk.com/forums/threads/ramanujan-the-man-who-knew-infinity-the-akashic-records.10931/

 

[DF-41]

 

[Raj-Hindustani]

Why do you feel so defensive about the very normal schooling in India?
You holding me responsible for what is taken for granted as to the educational system of India?

Very well known about in the whole world.

And by the way, I written good things about India and the genius India produced such as Ramanujan https://defencepk.com/forums/threads/ramanujan-the-man-who-knew-infinity-the-akashic-records.10931/

First, you pointed fingers at two Indians, who are there in top management.

Please learn how application support works with major role plays by the developers.

You must not know who tested those new changes and who approved it.

Surely, the CrowdStrike developer team missed something.

I suggest you read it again! What you posted... stop with such stupid finger pointings

 

[DF-41]