Second NHS IT system confirmed to be affected by CrowdStrike issues
- Reference: 1721392996
- News link: https://www.theregister.co.uk/2024/07/19/crowdstrike_update_nhs_it_outages/
- Source link:
This is going to turn out to be the biggest cyber incident ever in terms of impact, just a spoiler, as recovery is so difficult
Varian Medical Systems is responsible for delivering radiotherapy treatments to cancer patients and due to the global outage, treatments were briefly canceled this morning.
An update posted at 1045 UTC said that radiotherapy services were restored and that afternoon appointments would go ahead as planned, but warned further disruption may continue into next week.
"We are now able to deliver radiotherapy services and this afternoon's appointments will take place as scheduled," the statement [1]reads .
"However, there is still some disruption to the radiotherapy system that may affect appointments running into next week. Please continue to attend your appointment unless you are contacted directly."
[2]
The Varian system is the second relied upon by NHS healthcare centers to be affected by the issues [3]caused by the update at CrowdStrike . The first system is EMIS, meaning the attack has also disrupted systems at the majority of UK general practitioners' centers.
[4]
[5]
The full scale of Varian's disruption isn't yet known, although The Register has requested further information from the company. In a statement, a spokesperson told us:
"We are in contact with Microsoft regarding its global services outage. We are analyzing this dynamic situation and assessing options for action. We will be updating both the [6]Siemens Healthineers cybersecurity webpage and the [7]Varian cybersecurity webpage as soon as more information becomes available."
[8]
According to a [9]statement from NHS Supply Chain, the UK health service's logistics arm, the NHS spent £130 million ($168 million at today's exchange rate) on new radiotherapy equipment across 38 cancer treatment centers in 2019. This money was spent on equipment from various vendors, including Varian.
Since then, various NHS Trusts across the UK have publicized their use of Varian kit. These include Barking, Havering, and Redbridge University Hospitals, East and North Hertfordshire NHS Trust, and the Beatson West of Scotland Cancer Centre (part of the NHS).
We've been in touch with healthcare specialists who all confirmed they're still using Varian systems but said supervisors are currently liaising with all hospital departments to determine the full extent of the impact.
The crisis in brief
The current global IT outage is widely predicted to be the most severe in history. It has all come from a dodgy file (C-00000291*.sys) which is delivered via channel file updates in CrowdStrike Falcon.
"The .sys files causing the issue are channel update files, they cause the top-level CS driver to crash as they're invalidly formatted," security expert Kevin Beaumont [10]said .
[11]
"It's unclear how/why Crowdstrike delivered the files and I'd pause all CrowdStrike updates temporarily until they can explain.
"This is going to turn out to be the biggest cyber incident ever in terms of impact, just a spoiler, as recovery is so difficult."
Everything from airlines to GP services is down, the full list of which can be found in our [12]earlier coverage of the crisis .
CrowdStrike said the incident is not malicious in nature – it's not a cyberattack.
The outage is still in its early hours, although the content update has been stopped, so no new cases of the faulty file should cause the BSODs.
[13]Cancer patient forced to make terrible decision after Qilin attack on London hospitals
[14]Row erupts over data sharing function in UK doctor software
[15]Qilin cyber scum leak data they claim belongs to London hospitals’ pathology provider
[16]London hospitals left in critical condition after ransomware attack
The impact on healthcare comes at a sensitive time in the UK, the capital city of which is still wrestling with the fallout of a [17]serious ransomware attack . The consequences of the hit on Synnovis led to [18]the most atrocious stories being told .
Medical professionals also appear to be blindsided by the issues, relying on limited information only. This reporter visited his local GP-attached pharmacy in the hours after the incident today and the staff were shocked when they heard the full picture.
The pharmacy could not process electronic prescriptions made after the outage took hold, but those issued before could still be fulfilled. ®
Get our [19]Tech Resources
[1] https://www.royalsurrey.nhs.uk/news/critical-incident-declared-12906/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZpqNlxkcd4XAJZ7rabLjWAAAAg4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2024/07/19/crowdstrike_shares_sink_as_global/#
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpqNlxkcd4XAJZ7rabLjWAAAAg4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpqNlxkcd4XAJZ7rabLjWAAAAg4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.siemens-healthineers.com/support-documentation/cybersecurity
[7] https://www.varian.com/resources-support/cybersecurity-varian
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpqNlxkcd4XAJZ7rabLjWAAAAg4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.supplychain.nhs.uk/news-article/130-million-investment-in-radiotherapy-equipment/
[10] https://cyberplace.social/@GossiTheDog/112812454405913406
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpqNlxkcd4XAJZ7rabLjWAAAAg4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.theregister.com/2024/07/19/crowdstrike_shares_sink_as_global/
[13] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[14] https://www.theregister.com/2024/07/04/gp_connect_row/
[15] https://www.theregister.com/2024/06/21/qilin_cyber_scum_leak_the/
[16] https://www.theregister.com/2024/06/04/suspected_cyberattack_hits_major_london/
[17] https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/
[18] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[19] https://whitepapers.theregister.com/
A data file with an invalid format can cause a driver to crash badly enough to take out the entire OS?
And this file (and those drivers) got pushed out around the world by a big player in the *security* space?
Fascinating...
Guess someone missed out some code
Load "Date.File ;
Instead of
Try
{Load "Data.file; }
Catch exception
{PrintLn("This file is bollocks... you're fired"}
I really hope CrowdStrike get sued out of existence. They are nothing but snake oil pushing their shonky product that nobody has any control over as some sort of second coming. I evaluated it along with some othe "modern" AV solutions to replace Kaspersky. The conclusion we came to was that it was utter rubbish, just sales spiel for management using all the buzzwords:
Replacing legacy solutions
Cloud based
Lightweight
Cloud management console.
Seemless deployment
Blah blah
All the usual shite. I hope now that people start to wake up and realise just how tenuous SaaS is.
AI is "Magick" - not so much
But how can this be possible given that CrowdStrike has been brought to life using AI (see https://www.crowdstrike.com/platform/ and the references to AI all over it)?
Oh I know, because most "AI" is an expensive big steaming pile of horseshit.
EMIS was the first system, then; what a surprise. It's kinda hard to tell since it's down half the time anyway, and when it's up it's excruciatingly slow and horrible to use.
Our incident meeting first thing this morning didn't rule out EMIS just coincidentally falling over at the same time as many other unrelated systems.
Ironic Name
Hey, it looks like CrowdStrike really is a cloud strike! Get it? Cloud strike. People naming companies should really think things throw.
"The pharmacy could not process electronic prescriptions made after the outage took hold, but those issued before could still be fulfilled"
Assuming they actually have the items prescribed in stock, which is a whole other chronic failing.
Which Windows PCs are effected and should you turn on your PC!
It's not affected our 4 Windows 10 PCs (mix of home,pro,32 & 64) it might be helpful to know which systems are failing!
If a Windows PC hasn't yet been turned on today is it safe to turn it on now?
I suspect old Windows xP, 7 & 8 might not be effected, if so that might help people with old normally unused systems.
Re: Which Windows PCs are effected and should you turn on your PC!
It's not a Microsoft / Windows problem, it's a CloudStrike Falcon Sensor product problem. If you aren't using CloudStrike's anti-malware product then your systems are safe.
Re: Which Windows PCs are effected and should you turn on your PC!
I know that but it is only affecting Windows PCs and many users won't know if they are using CloudStrike's anti-malware product. If it would be correct to say this will probably only be effecting organisations that are big enough to have an IT department then stating that will reassure many people!
Re: Which Windows PCs are effected and should you turn on your PC!
Yeah, the fact that many users don't know if they are using CloudStrike would be a root cause of the entire problem.
Re: Which Windows PCs are effected and should you turn on your PC!
No home user will be using C.S.
Re: No home user using CrowdStrike
I would say that would probably be quite true. I'm shocked how common CrowdStrike is on commercial systems! Even our payroll processor just notified us that their systems were affected.
I'd have to do far more research on this product but maybe it is tied to cloud infrastructure use, the Falcon product is offered and preferred for users who subscribe to a variety of cloud services?
Re: Which Windows PCs are effected and should you turn on your PC!
If you aren't using CloudStrike Falcon, then you're not at risk of this bug hitting your system.
But we're never really safe :)
Re: Which Windows PCs are effected and should you turn on your PC!
Ones with Cloudstrike Anti-Virus.
If you are using for example McAfee or Norton, then you will have different problems, not this particular one.
Bah!
Looking forward to the Crowdstrike bod's "Who Me?" writeup.
WTF
Who put these clowns in charge of the circus, reaming is too soft a punishment in my view. In any other industry a mistake of this magnitude would guarantee rolling heads, and multiples thereof.
US courts are down to.
The surprising part
Is how much critical infrastructure is running on Windows
You'd think people would know better by now
Re: The surprising part
Sadly, it’s not at all surprising.
The people responsible for deploying windows in these areas should still be shipped off to some barren lifeless moon somewhere though
systmonline seems fine
I checked my surgery remotely, earlier, and I could still see my records.
So it's only affecting a subset of GP's, so far.
"they cause the top-level CS driver to crash as they're invalidly formatted,"
Fail-safe. Defensive programming. All long gone.
Completely innocent, I say!
CrowdStrike said the incident is not malicious in nature – it's not a cyberattack. Well, of course they would say that. To suggest otherwise would be to suggest that they're amongst the cyber-criminals, and we couldn't have people thinking like that, could we?