This CrowdStrike created nightmare via a bad antivirus update is a massive problem. How massive? Let me give you some perspective:
- Plus or minus a billion computers are basically bricked worldwide.
- These are mostly corporate ones as corporate computers are most likely to use the CrowdStrike AV software.
- Every affected computer needs to be rebooted in Safe Mode and have a driver manually removed. That should take 4 to 5 minutes a computer. I know that because I’ve done that about 50 times today.
- Smart companies take away the rights for common employees to do this.
- Even if they had the rights to this, imagine the average end user trying to handle a moderately complex task like this.
This is most non trivial event that could possibly exist. But there’s more. I sourced comments from a number of industry experts on this:
Evan Dornbush, former NSA cybersecurity expert:
“This is of course a phishing attack opportunity. Don’t make a bad situation worse. Only follow recommended instructions direct from your CrowdStrike rep. There will be a lot of misinformation about how to reconfigure your computers or which critical system files to delete. Don’t fall victim to downloading phony solutions.
“Similarly, this is a great time to reflect on password management, since the fix may eventually require administrative access to systems that have not rebooted in quite some time.”
Omdia Senior Director, Cybersecurity Maxine Holt
The global IT outage crisis is escalating, and organizations everywhere are in full scramble mode, desperately implementing workarounds to keep their businesses afloat. Microsoft has pointed fingers at a third-party software update, while CrowdStrike admits to a “defect found in a single content update for Windows hosts” and is working feverishly with affected customers. Omdia analysts connect the dots: this isn’t a cyberattack, but it’s unquestionably a cybersecurity disaster.
Cybersecurity’s role is to protect and ensure uninterrupted business operations. Today, on 19 July 2024, many organizations are failing to operate, proving that even non-malicious cybersecurity failures can bring businesses to their knees. The workaround, involving booting into safe mode, is a nightmare for cloud customers. Cloud-dependent businesses are facing severe disruptions.
Omdia’s Cloud and Data Center analysts have long warned about over-reliance on cloud services. Today’s outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike’s shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value.
Looking forward, there’s a shift towards consolidating security tools into integrated platforms. However, as one CISO starkly put it, “Consolidating with fewer vendors means that any issue has a huge operational impact. Businesses must demand rigorous testing and transparency from their vendors.”
CrowdStrike’s testing procedures will undoubtedly be scrutinized in the aftermath. For now, the outages continue to rise, and the tech world watches as the fallout unfolds.
Steve Hahn, Executive VP, BullWall:
“This event, more than any other, is precisely why companies need a defense in depth strategy. One issue on your endpoint security and not only can your infrastructure go down, but you can be left wide open for a myriad of attacks. Ransomware uses endpoints, and other attack vectors, as their launch mechanism for their attack and you need layers of security over your critical data and fileshares.
“It will be interesting to see if we have a ripple of downstream consequences. Right now we are dealing with outages at airlines and other critical businesses but will we also see a wave of Ransomware attacks that follow? Time will tell.”
I wish every help desk globally well in dealing with this as this is going to be days if not a week or two of remediation. I also hope that CrowdStrike gets hauled in front of the relevant authorities globally to explain why this happened, and why corporate users should trust them again.
UPDATE: Madison Horn for Congress (OK-5) adds this comment:
With 15 years of experience in both the private and public sectors, I bring a deep insight into complex technological issues. If elected, I will be the most credentialed cybersecurity lawmaker in U.S. history. My leadership transcends partisan divides, focusing on practical solutions. By bridging the gap between technology and policy, I will address workforce development, AI regulation, and trust in government. My candidacy represents a path toward bipartisan cooperation to confront our nation’s complex challenges.”
“Today, we face the largest IT blackout in history, caused not by a cyber attack or malicious actor, but by human error. This outage has impacted communities and 911 operators, and what we can assume at this time, caused billion dollar losses across the global economy – starkly highlighting the fragility of our interconnected world.
While today’s events could not have been prevented with a single solution, any set of systems that have the potential to cause massive societal impact in the event of failure—such as the 9/11 communication outages for first responders—must have right-sized regulations that protect human life and ensure economic stability.
Presently, the critical infrastructure and financial sectors have requirements that ensure the classification of systems that could be single points of failure, yet misclassification and outdated regulations persist. In many cases, existing regulations are not properly tailored to specific industries. This issue is compounded by the fact that governing bodies struggle to keep pace with rapid technological change — leading to a disconnect in understanding the underlying technology, its dependencies, capabilities, cost of implementation, and workforce limitations.
This gap between our regulatory landscape and the demands of the rapid advancement of technology impacting society are widening. To address today’s critical challenges, we need leaders who have expertise in technology, enabling Congress to effectively collaborate with the private sector to drive solutions. The technology we use today, which fits in a device smaller than a deck of cards, has the potential to disrupt critical infrastructure like our electric grid. To safeguard our future, we need elected leaders who not only grasp the gravity of this technological reality but also have the expertise to address and mitigate these risks effectively.
UPDATE #2: Tom Marsland, VP of Technology, Cloud Range adds this comment:
Recovery is going to be painful, to put it lightly. The recovery steps outlined by CrowdStrike involve manually booting the affected PC into a recovery mode, deleting a file, and restarting. This is not something that can be done remotely, and in many organizations, will require an administrator. This means someone from IT Support going computer to computer and doing this manually. This was most certainly preventable. This sort of release goes to the importance of change / configuration management. This update should’ve been tested internally by CrowdStrike, then released to a small subset of users, then to their broader ecosystem. That is done specifically to catch problems with updates before they affect the entire ecosystem. Either that didn’t happen here at all, or that process failed to catch this bug, which is a problem in and of itself.
This will take days, probably weeks for larger organizations. Unfortunately, as is the case in many cyber breaches as well, this is nothing new. Organizations failure to follow best practices with testing and deploying patches (both from a CrowdStrike side and from an organization receiving updates side) is the root cause of this. When major patches roll out or become available, putting on auto-updates is one way to make sure your organization gets patched, but if there’s any concern about the operability or function of that update, organizations generally roll those out within their own businesses to a small set at first, and then to everyone else. The organizations affected today seem to be the ones that turned on automatic updates and that was it.
UPDATE #3: Tom Siu, CISO, Inversion6
This case with CrowdStrike Falcon and Microsoft Windows highlights one of the low-frequency and high-impact risks that don’t often rise to the top of your Risk Index. I call it the “auto-immune response risk” situation where your security tools and services misidentify normative files and services, and automated corrective actions lead to system outage. In the military, we called these “blue on blue” engagements.
The lesson that cybersecurity professionals need to know is that in the real world, errors can happen and propagate throughout our environments. This is why cybersecurity and IT teams need to have clear shared objectives and cogent leadership to first recover the IT systems, avoid lowering the security posture, and then plan/execute a path forward. Uptime may be important, and CISOs will have to justify arguments for extended outages caused by security tooling. Often the toughest call in an incident response scenario is to take systems offline due to a vulnerability; here we have them offline already. The planning and execution we see going on currently is basically a disaster recovery scenario.
One risk mitigation for this scenario is to use mildly diverse portfolio of endpoint security solutions. For example, one product on your endpoints, and a different product on your infrastructure. I know vendors, and CISOs, often desire to unify these applications under “one pane of glass” (licensing simplicity is a big factor) but this type of low-frequency risk is going to a harder argument for a multiple solutions.
This doesn’t sound like a patch that went awry, but more of a more complex systems interaction that hasn’t been fully evaluated; I suggest we make our judgements about the vendors by the quality and transparency of their communications and assistance. Additionally, we as security professionals need to incorporate public and internal communications for this type of event into our Incident Response Plans.
In conclusion, one question I’ve seen today is, “Is this an IT outage or a security incident?”
My answer is, “Yes.”
CrowdStrike Details Takedown of Glassworm
Posted in Commentary with tags CrowdStrike, Google, Shadowserver Foundation on May 28, 2026 by itnerdCrowdStrike, Google, and the Shadowserver Foundation said they disrupted the Glassworm botnet, a global threat targeting developers and open-source software ecosystems through supply chain attacks. CrowdStrike said the coordinated takedown simultaneously disabled all four of the botnet’s C2 channels, preventing communications with infected systems and delivery of additional malware payloads.
You can find out more by reading CrowdStrike’s writeup here: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
Liquibase VP Ryan McCurdy offers perspective:
“Glassworm is a reminder that ungoverned automation can quickly become a privileged attack path. Once attackers compromise developer tooling, poison repositories, or steal CI/CD credentials, the pipeline stops being background infrastructure and starts acting like a privileged identity. That is what makes these attacks so dangerous. The answer is not less automation. It is more standardized, governed automation, so the workflows developers and pipelines already rely on are consistent, controlled, and harder to abuse.”
Honestly, while this is to be celebrated, it’s also time for organizations to look at themselves and retool themselves so that automation is not an attack path. Otherwise bad things will happen.
UPDATE: There’s additional commentary starting with Ryan McCurdy, VP of Marketing, Liquibase:
“Glassworm is a reminder that ungoverned automation can quickly become a privileged attack path. Once attackers compromise developer tooling, poison repositories, or steal CI/CD credentials, the pipeline stops being background infrastructure and starts acting like a privileged identity. That is what makes these attacks so dangerous. The answer is not less automation. It is more standardized, governed automation, so the workflows developers and pipelines already rely on are consistent, controlled, and harder to abuse.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“When dismantling a single developer targeting botnet requires three organizations to simultaneously strike four independent command and control channels, that is a measure of how seriously adversaries have invested in compromising the people who build software. Glassworm’s operators layered Solana blockchain dead drops and BitTorrent alongside legitimate services like Google Calendar, building infrastructure designed to survive exactly this kind of operation. This coordination sets a model for how the security community should respond to entrenched supply chain threats. Precision and partnership delivered operational results without years of judicial process.
“Disruption buys defenders a window. It does not reverse more than a year of credential theft. Glassworm used credentials stolen in earlier infections to poison over 300 GitHub repositories, the same cascading pattern the industry has tracked across multiple supply chain campaigns this year. Any organization consuming open source software should be checking telemetry against the published indicators now, not waiting for a downstream compromise to surface the exposure.
“Glassworm did not operate in isolation. It ran alongside multiple supply chain campaigns targeting the same developer ecosystems over the same timeframe, including the Shai-Hulud worm and the Megalodon GitHub poisoning disclosed days ago. The volume and persistence of these operations make the case that developer environments and build pipelines require the same zero trust posture organizations have spent a decade applying to users and networks. Any organization that treats its build infrastructure as implicitly trusted is operating on assumptions that adversaries have already invalidated.”
Noelle Murata, Chief Operating Officer at Xcape, Inc.
“The coordinated takedown of the Glassworm botnet by CrowdStrike, Google, and Shadowserver highlights a massive paradigm shift: threat actors are aggressively targeting the software developer’s workstation as the ultimate enterprise entry point. By targeting IDE marketplaces, package registries, and GitHub repositories rather than traditional corporate networks, the operators behind Glassworm turned infected developer environments into automated launchpads for broader downstream supply chain contamination.
“What makes this campaign uniquely menacing is the extreme, multi-layered resilience of its command-and-control (C2) architecture. By hiding C2 infrastructure across the Solana blockchain, the BitTorrent peer-to-peer network, and public Google Calendar entries, the attackers built a decentralized dead-drop engine that could not be dismantled by traditional domain sinkholing or legal hosting takedowns. The fact that defenders had to execute a flawless, simultaneous strike across all four independent technical vectors proves that legacy, siloed perimeter defense is structurally obsolete when fighting a decentralized adversary.
“For enterprise risk leaders, the Glassworm disruption is a severe warning that developer environments must be treated as highly privileged, zero-trust zones. To defend against this evolving threat landscape, security executives must immediately enforce strict application control policies on developer IDE extensions, audit code pipelines for unauthorized package installs executing via post-install hooks, and continuously monitor for suspicious, outbound programmatic access to public infrastructure.
“Critical Takeaways
“When a botnet embeds its command architecture into public blockchains and peer-to-peer networks, traditional security boundaries cease to exist. You aren’t just fighting a group of hackers anymore; you are fighting a permanent, decentralized exploit of the internet’s own infrastructure.”
Leave a comment »