NCDPI K-12 Cybersecurity Program
CrowdStrike Incident
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems. The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC. This issue is not the result of or related to a cyberattack.
The NCDPI K-12 Cybersecurity Program team has been monitoring this incident from the beginning and coordinating with the program core team partners to support PSUs identification and remediation efforts. Our teams are also monitoring malicious actor threats surrounding this event.
KEY RESOURCES
- CROWDSTRIKE REMEDIATION AND GUIDANCE HUB: FALCON CONTENT UPDATE FOR WINDOWS HOSTS
- CISA ALERT – Widespread IT Outage Due to CrowdStrike Update | CISA
- Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process regarding the CrowdStrike issue impacting Windows endpoints
- Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers – List of domains identified that impersonate CrowdStrike’s brand
- CrowdStrike has released the Post Incident Review (PIR) (Updated July 24, 2024) n their website. For more details, visit the CrowdStrike page.
CrowdStrike Incident Tracking since July 19, 2024
- FRIDAY, JULY 19, 2024 – Statement on Windows Sensor Update from CrowdStrike “CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.” CrowdStrike has confirmed the outage: (1) Impacts Windows 10 and later systems, (2) Does not impact Mac and Linux hosts, and (3) Is due to the CrowdStrike Falcon content update and not to malicious cyber activity.
- July 20, 2024 – Microsoft Blog Posting – Helping our customers through the CrowdStrike outage
- July 19, 2024 – 2:51PM EDT – Message from the MS-ISAC: “CrowdStrike Outage Causes Significant Disruption & Poses Follow-on Social Engineering Threat“. Short Form Analytic Report (SFAR) – The following IOCs include likely malicious domains CIS CTI analysts identified posing as legitimate CrowdStrike infrastructure:
- crowdstrike-bsod[.]com
- crowdstrike0day[.]com
- crowdstrikebluescreen[.]com
- crowdstrikedoomsday[.]com
- crowdstrikedown[.]site
- crowdstrikefix[.]com
- crowdstriketoken[.]com
- crowdstuck[.]org
- fix-crowdstrike-apocalypse[.]com
- fix-crowdstrike-bsod[.]com
- microsoftcrowdstrike[.]com
- whatiscrowdstrike[.]com
- crowdfalcon-immed-update[.]com
- crowdstrikebsod[.]com
- crowdstrikeoutage[.]info
- crowdstrike-helpdesk[.]com
- crowdstrikeupdate[.]com
- crowdstrikeclaim[.]com
- July 19, 2024 – 1:37PM EDT – Resource shared during GRF / BRC emergency call. GithubGist: “Automated Workaround in Safe Made using Group Policy“
- July 19, 2024 – 1:34PM EDT – NCDPI releases alternative recovery steps for machines where BitLocker keys are unavailable.
- July 19, 2024 – 1:25PM EDT – Crowdstrike updates Statement on Windows Sensor Update. “We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed. Falcon Complete and Overwatch services are not disrupted by this incident.” Also discusses additional workaround steps and documentation.
- July 19, 2024 – 1:00PM EDT – SANS Institute “Widespread Windows Crashes Due to Crowdstrike Updates” – “Some reports we have seen indicate that there may be phishing emails circulating claiming to come from “Crowdstrike Support” or “Crowdstrike Security”. I do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any “patches” that may be delivered this way. One domain possibly associated with these phishing attacks is :
- crowdfalcon-immed-update [ .] com
- July 19, 2024 – 12:37PM EDT – Message from the MS-ISAC: Widespread IT Outage Due to CrowdStrike Update – TLP: CLEAR. The update references many of the information points below but also notes that “CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”
- July 19, 2024 – 15:28PM UTC – CrowdStrike Tech Alert “Tech Alert | Windows crashes related to Falcon Sensor” – 2024-07-19 03:28 PM UTC Updated
- Two updates: (1) [DETAILS] Note: It is normal for multiple “C-00000291*.sys files to be present intheCrowdStrike directory – as long as one of the files in the folder has a timestamp of 0527 UTC or later, that will be the active content and (2) [CURRENT ACTION] We assure our customers that CrowdStrike is operating normally and this issue does not affect our Falcon platform systems. If your systems are operating normally, there is no impact to their protection if the Falcon Sensor is installed. Falcon Complete and Overwatch services are not disrupted by this incident.
- July 19, 2024 – 11:21AM EDT – KrebOnSecurity posts article Global Microsoft Meltdown Tied to Bad Crowdstrike Update – “A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike’s solution needs to be applied manually on a per-machine basis.”
- July 19, 2024 – ~11:00AM EDT – MCNC posts advisory about CrowdStrike Alert
- July 19, 2024 – 10:56AM EDT – NCDPI CISO releases memo about technical advanced query search from CrowdStrike to locate affected machines in the CrowdStrike Console. The query was published by CrowdStrike during the 9:40AM Tech Alert.
- TLP Amber K12 SIX / BRC Discussion: CrowdStrike Windows Outage (Members Only) – All GRF Communities are invited to join the GRF Business Resilience Council today, July 19 at 1:00 PM ET for a TLP Amber cross-sector discussion on the recently reported faulty Channel File deployed within the Falcon Sensor update which is affecting Microsoft Windows operating system machines.
- UPDATED 9:22AM EDT with workaround steps for individual and virtual environments
- July 26, 2024 – 10:26AM EDT – Alert from NCLGISA Strike Team about CrowdStrike Event Phishing Sites – The following “helpful” phishing sites have popped up to take advantage of the CrowdStrike incident. The Strike Team would recommend blocking the following domains.
- crowdstrikebluescreen[.]com
- crowdstrike0day[.]com
- crowdstrike-bsod[.]com
- crowdstrikedoomsday[.]com
- crowdstrikefix[.]com
- crowdstrikedown[.]site
- crowdstriketoken[.]com
- July 19, 2024 – 9:27AM EDT – NCLGISA Strike Team Running Log of Impacted NC Systems and Services
- July 19, 2024 – 8:40AM EDT – CrowdStrike Tech Alert “Tech Alert | Windows crashes related to Falcon Sensor” – 2024-07-19 12:40 PM UTC | Updated, added query
- July 19, 2024 – 8:05AM EDT – NCDPI notification “Due to nationwide tech issues, we ask that you pause all enrollments at this time. PowerSchool and other Home Base products are down nationwide as well.”
- July 19, 2024 – 7:43AM EDT – Bleeping Computer Article – CrowdStrike update crashes Windows systems, causes outages worldwide
- July 19, 2024 – 10:30 UTC – Microsoft Azure Status and Notification
- July 26, 2024 – 10:26AM EDT – Alert from NCLGISA Strike Team about CrowdStrike Event Phishing Sites – The following “helpful” phishing sites have popped up to take advantage of the CrowdStrike incident. The Strike Team would recommend blocking the following domains.
General Announcements
- Cybersecurity Pilot Program
- The Federal Communications Commission (FCC) launched the Schools and Libraries Cybersecurity Pilot Program to gather the data needed to better understand whether and how universal service funds could be used to support the cybersecurity needs of schools and libraries.
- To learn more about the Pilot Program, sign up for the mailing list or visit the Pilot Program’s website.
- NCDPI K-12 Cybersecurity Webinar Series
- Google Firewall VPN with Palo Alto
- Join MCNC as they demonstrate the capabilities of Palo Alto Global Protect and Google/365 SAML with 2FA for VPN. They will highlight the VPN attack landscape, examine VPN attack traffic in NC K12 firewalls, and discuss how to improve security posture by implementing VPN with use of Google and/or cloud 365 with 2FA.
- August 14th, 1 pm
- Register Here
- Join MCNC as they demonstrate the capabilities of Palo Alto Global Protect and Google/365 SAML with 2FA for VPN. They will highlight the VPN attack landscape, examine VPN attack traffic in NC K12 firewalls, and discuss how to improve security posture by implementing VPN with use of Google and/or cloud 365 with 2FA.
- Google Firewall VPN with Palo Alto
- With recent pushes and promotions of certification opportunities within the cybersecurity industry, we have created a Cybersecurity/IT Certifications guide page to provide insight into which certifications may be of interest to you to help advance your career and skills!
- New Free CISA/NICCS Cybersecurity Resources!
- Congratulations to Cabarrus County School District for becoming the first North Carolina district to be awarded the full CoSN Trusted Learning Environment (TLE) Seal for data-privacy practices!
- For more information on how to achieve the CoSN TLE Seal, visit NCDPI’s Digital Learning Initiative Support page
Overview
In 2021, NCDPI established the K-12 Cybersecurity Program with a purpose of organizing and aligning business and technical cybersecurity functions holistically across the state so that PSU and NCDPI stakeholders have greater visibility into the people, processes, and technologies deployed and have a measurable way to determine whether those efforts are sufficient and correct for current and future needs.
The goal is to help all PSUs achieve essential cyber hygiene!
PSUs can find more details about the premium current services and resources provided by the program below AT NO COST to the PSUs
- Security Awareness and Skills Training (KnowBe4)
- Email and Web Browser Protection (Zscaler)
- Network Infrastructure Management (Palo Alto)
- Malware Defenses (CrowdStrike)
- Continuous Vulnerability Management – Attack Surface Management
- Continuous Vulnerability Management – Shodan
- Continuous Vulnerability Management – Dark Web Monitoring
- Inventory and Control of Enterprise Assets (runZero)
- Account and Access Control Management (RapidIdentity)
- Network Monitoring and Defense
- Incident Response Management
- Service Provider Management
- Network and Cybersecurity Consulting
In addition, the K-12 Cybersecurity Program has several partners with related services and resources available to the PSU community:
- NCLGISA IT Strike Team – The IT Strike Team is a group of NCLGISA members that volunteer their time and talents to help out in times of need. The Strike Team has partnered with NC Emergency Management to provide IT support where needed in time of disaster but is also available to any NCLGISA member who needs more resources to address emergency issues.
- North Carolina National Guard – The North Carolina National Guard CSRF mission is to conduct defensive cyberspace operations to support mission requirements as directed by The Adjutant General or Governor. Specifically for North Carolina, the CSRF provides cyber security assistance to State, Local, and Critical Infrastructure providers.
- NCDPI NC Digital Learning Plan – Framework for growth and continuous improvement in the area of Digital Teaching and Learning for NCDPI, public school units and schools across the state. View data, action steps and metrics for the state’s Digital Learning Initiative.
Management
The K-12 Cybersecurity Program is composed of cross-functional heterogeneous teams to work on tasks and deliverables of the projects. These teams will adapt and evolve over time, but identifying key members will be extremely important to getting the project started with good momentum. The teams should include representatives from all organizations that will interface with the Cybersecurity Program.
- Cybersecurity Executive Committee (CEC)
- The purpose of the executive committee is to provide the priority and policy advisory for the project and ensure the alignment of state agency and legislative requirements.
- The purpose of the executive committee is to provide the priority and policy advisory for the project and ensure the alignment of state agency and legislative requirements.
- Cybersecurity Core Teams (CCT)
- The core set of teams and organizations that collectively work together as part of the NCDPI K-12 Cybersecurity Program in providing the umbrella of cybersecurity services and resources for the PSUs
NCDPI, Friday Institute, MCNC, NCJCTF, NCDIT
- The core set of teams and organizations that collectively work together as part of the NCDPI K-12 Cybersecurity Program in providing the umbrella of cybersecurity services and resources for the PSUs
- Cybersecurity Advisory Council (CAC)
- The CAC consists of PSU cybersecurity leaders who meet monthly to discuss relevant threats, updates, and innovations. Overall focusing on supporting PSUs and NCDPI in improving the K-12 cybersecurity posture.
Key Program Contact
NCDPI K-12 Cybersecurity Team
k12cybersecteam@dpi.nc.gov
Strategy
There are several well known and respected frameworks available to be used as reference when designing organizational cybersecurity systems. Since the inception of the K-12 Cybersecurity Program, NCDPI has leveraged several of these standard frameworks as a guide for specific and actionable ways to thwart the most common attacks, with the goal of supporting PSUs to align with several of these standards and recommendations. Currently, the most critical frameworks referenced are:
- Center for Internet Security (CIS) Critical Security Controls
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- National Institute of Standards and Technology (NIST) 800-53
For more information regarding these recommended guidelines, please visit the Strategy Goals and Alignments page.
Key Program Outreach and Engagements
- NCLGISA Fall 2023 Symposium – Strengthening PSU Incident Response
- Digital Leaders Exchange – Data Privacy and Cybersecurity, September 2023
- Northeast Technician Training, July 27, 2023
- NCDPI K-12 Cybersecurity Program – PSU Cybersecurity Startup Guide
- New Charter School Leadership Institute, June 8, 2023 Presentation
- NCLGISA 2023 Spring Symposium May 24, 2023 Presentation
- NCDPI K-12 Cybersecurity Program (March 2023)
- NCTIES 2023 – Re|Connect Cybersecurity Updates (March 2023)
- NCTIES 2023 – Data Privacy, Cybersecurity, and People Awareness and Skills Training for PSUs (March 2023)
- CoSN 2023 – Developing Statewide Cybersecurity Programs – North Carolina and Indiana (March 2023)