Global internet disruption leaves Southeast Asian telcos unscathed

Millions of Windows-based PCs experienced a global internet outage on Friday, July 19, due to a defective software update from endpoint security company CrowdStrike. Telcos in Southeast Asia, however, stated that the impact on their services was negligible to nonexistent.

Widespread Impact

Among the several establishments impacted by the disruption were banks, television stations, airports, and healthcare facilities. An automated software update for Falcon, an EDR monitoring tool from CrowdStrike that operates on endpoints with deep system access such as laptops, servers, and routers, was the source of the issue.

The Cause

A CrowdStrike blog post claims that the problem was brought about by a single configuration file, also known as a channel file, in the upgrade that changed Falcon’s Windows “named pipes” inspection process. In Windows, named pipes facilitate communication between processes or between systems. The purpose of the file was to target recently discovered malicious named pipes that are frequently utilised in cyberattacks by C2 frameworks. But a logical problem brought on by a file flaw resulted in the dreaded “blue screen of death” and a deadly reboot cycle for Windows systems.

Limited Impact on Southeast Asia Telcos

Several telcos in Southeast Asia released statements claiming that the impact of the CrowdStrike update was either negligible or nonexistent, despite Reuters’ initial story listing telecoms as one of the sectors affected.

Statements from Southeast Asia Telcos

Malaysia

A few of CelcomDigi’s support services, such as its reload capabilities, were interrupted. Immediately after, service recovery specialists were sent in to create workarounds and provide users with other options for continuing to reload during this time. Other than that, network services continued as usual.

Telekom Malaysia stated that there was no interference with their services or company activities.

Philippines

Globe Telecom reported that the damage was restricted to a few Windows-based workstations and a few servers and did not significantly impair core services.

There was no reported effect on the operations of PLDT-Smart or DITO Telecommunity. Furthermore, PLDT-Smart stated that no software from CrowdStrike is utilised by its ecosystem.

Thailand

Minister of Digital Economy and Society Prasert Chantararuangthong reaffirmed that the country’s telecom networks were unaffected by the outage.

Recovery and Fixes

A software update from CrowdStrike has been released, however, not all Windows computers can automatically download it. IT administrators have encountered situations where they needed to manually delete the problematic channel file from their machines, or reboot their machines multiple times in order to receive the update.

IT administrators can automatically remove the file thanks to a recovery programme offered by Microsoft that turns a USB device into a bootable drive. Additionally, Microsoft is working with other cloud service providers and stakeholders, including Google Cloud Platform and Amazon Web Services, to disseminate information and contribute to ongoing discussions with CrowdStrike and clients.

Looking Forward

In order to ascertain how the issue occurred and how the problematic channel file entered the release, CrowdStrike is examining its workflow procedures. Because so many users choose automatic updates, a large number of machines were impacted at once. Patrick Wardle, the creator of Objective See and a vulnerability researcher, pointed out that even CrowdStrike users who choose not to get automatic updates received the update.