An intriguing case of CrowdStrike insider trading has recently been uncovered. CrowdStrike, a prominent player in the cybersecurity sector, saw notable insider trading activity shortly before a major global IT outage. This disruption has affected services for numerous clients, including those in critical industries such as healthcare and air transportation
Can a $10 CrowdStrike gift card apology really fix the damage?
What’s this CrowdStrike insider trading incident is all about?
According to a Securities Exchange Commission (SEC) filing, CrowdStrike’s Chief Security Officer, Shawn Henry, executed a sale of 4,000 shares on Monday, July 15, 2024, amounting to roughly $1.485 million. This transaction took place just days before the IT outage on July 19, which led to a significant decline in CRWD’s stock price.
The sale by Henry was conducted under a prearranged 10b5-1 trading plan that he had set up on December 20, 2023. Such plans are intended to shield insiders from allegations of trading on non-public information by establishing predetermined schedules for stock sales. Despite this large sale, Henry still maintains a substantial stake in CrowdStrike, holding 183,091 shares after the transaction.
FYI trade was made using a prearranged 10b5-1 plan established on Dec. 20, 2023.
He sold 4,000 shares and he still owns 183,091 shares pic.twitter.com/cvRKqhDNLO
— Hedge Vision (@HedgeVision) July 20, 2024
While the 10b5-1 plan aims to prevent insider trading, the timing of Henry’s sale so close to the subsequent IT outage has raised concerns among regulators and shareholders. This raises questions about whether the timing of this CrowdStrike insider trading activity suggests any foreknowledge of the issues that were about to unfold.
Microsoft steps in with a recovery tool
Microsoft has developed a new tool to assist IT administrators in restoring Windows machines that were impacted by a flawed update from CrowdStrike, which led to the crash of 8.5 million devices last Friday. This tool allows the creation of a bootable USB drive to expedite the recovery process for the affected systems.
Although CrowdStrike has issued a patch to address the Blue Screen of Death errors caused by their software, many machines have been unable to automatically receive this update. Some administrators have reported success by repeatedly rebooting the PCs to trigger the update, while others have had to manually enter Safe Mode to remove the faulty CrowdStrike file.
Microsoft’s solution streamlines the recovery effort by enabling IT administrators to boot from a USB into the Windows PE environment, directly access the machine’s disk, and automatically delete the problematic file. This approach eliminates the need to enter Safe Mode or have administrative rights on the device since the tool operates independently of the local Windows installation. For disks protected by BitLocker encryption, the tool will prompt for the recovery key before proceeding.
Microsoft has outlined recovery steps for Windows Virtual Machines on Azure and published comprehensive recovery guides for all Windows 10 and Windows 11 devices on their support website. Could this CrowdStrike insider trading activity have any connection to the software update problems?
CrowdStrike outage is responsible for your bricked Windows PC
Beware of scammers exploiting IT outage
Following the recent massive IT outage, companies are now facing an additional threat from scammers and hackers eager to exploit the situation.
The incident began when an error in an update for Windows hosts was released by Texas-based cybersecurity firm CrowdStrike. This mistake led to widespread disruption across critical sectors such as travel, banking, retail, and healthcare from late Thursday into Friday.
In a blog post on Friday, CrowdStrike CEO George Kurtz cautioned that “adversaries and bad actors will try to exploit events like this.”
He advised everyone to remain cautious and ensure they are communicating with official CrowdStrike representatives, noting that their blog and technical support channels are the primary sources for updates.
On the following day, CrowdStrike disclosed that malicious actors were using the incident to distribute a harmful ZIP archive named crowdstrike-hotfix.zip. This archive contains a HijackLoader payload which, when executed, installs Remcos, allowing attackers to control infected computers.
In a subsequent blog post on Sunday, the company reiterated the importance of verifying communications with official CrowdStrike representatives.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also commented on Sunday, highlighting that cybercriminals are exploiting the outage to conduct malicious activities, including phishing attempts. CISA is actively collaborating with CrowdStrike and other private and government entities to monitor emerging threats.
Falcon Sensor: Widespread impact on Windows and Linux systems
CrowdStrike’s Falcon Sensor software, notorious for causing widespread outages on Windows computers last week, has also led to crashes on Linux systems.
In June, Red Hat alerted its users to an issue, described as “Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process,” which affected some users of Red Hat Enterprise Linux 9.4 when booting on kernel version 5.14.0-427.13.1.el9_4.x86_64.
Another problem, titled “System crashed at cshook_network_ops_inet6_sockraw_release+0x171a9,” urged users to seek help with potential issues related to the falcon_lsm_serviceable kernel module from the CrowdStrike Falcon Sensor/Agent security suite. Red Hat recommended disabling the CrowdStrike software to temporarily stabilize the system while the problem is investigated. This issue was noted to occur in releases 6 and 7 as well.
Linux Kernel panics are comparable to Windows’ Blue Screens of Death, indicating possible broader issues at CrowdStrike, given the timing of these incidents shortly before the widespread Windows disruptions.
CrowdStrike has been asked for comments on the issues identified by Red Hat, and updates will be provided if new information is received.
With the recent CrowdStrike insider trading activity finding, could there be more to uncover about the decisions leading up to the outage and the broader impact? We’ll keep you updated about the latest incidents around the CrowdStrike outage.
Featured image credits: Charles Forerunner/Unsplash
