3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
Microsoft Warned CrowdStrike of Possible Hacking Attempt
Failed Attack Reportedly Linked to Hackers Who Breached SolarWindsMicrosoft warned CrowdStrike earlier this month of a failed attempt by unidentified attackers to access and read the company's emails, according to a blog post published by the security firm.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
While the CrowdStrike blog post did not specify the exact identities of the hackers, Reuters, citing two unnamed sources, reported that the incident is likely related to the breach of SolarWinds (see: FireEye: SolarWinds Hack 'Genuinely Impacted' 50 Victims).
In the blog post published this week, Michael Sentonas, CTO of CrowdStrike, revealed that Microsoft's Threat Intelligence Center had contacted the security firm on Dec. 15 about the failed hacking attempt.
The investigation revealed that an Azure account of a Microsoft reseller had been making what the company deemed "abnormal calls" to Microsoft cloud APIs. That specific account managed part of the Microsoft Office license used by CrowdStrike, Sentonas says.
And while CrowdStrike does use some Microsoft products for its internal IT infrastructure, the security firm does not use Office 365 for email, Sentonas notes.
"Specifically, they identified a reseller's Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago," Sentonas says. "There was an attempt to read email, which failed as confirmed by Microsoft. As part of our secure IT architecture, CrowdStrike does not use Office 365 email."
After the alert from Microsoft, CrowdStrike conducted an internal review of its infrastructure as well as the Azure services the company uses, but did not detect a breach, Sentonas notes.
"CrowdStrike conducted a thorough review into not only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft. The information shared by Microsoft reinforced our conclusion that CrowdStrike suffered no impact," Sentonas says.
Ongoing Investigation
Like other large technology firms, Microsoft sells many of its products through third-party resellers. Both Microsoft and CrowdStrike did not name the reseller in this case, but Jeff Jones, a senior director at Microsoft, says that while the company is still investigating the incident, its products and services are secure.
"Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms," Jones tells Information Security Media Group. "We have not identified any vulnerabilities or compromise of Microsoft product or cloud services."
So far, the two-week investigation into the breach at SolarWinds has only publicly revealed that hackers used a vulnerability in the company's Orion network-monitoring software to plant a backdoor dubbed Sunburst by the security firm FireEye, which discovered the hacking campaign while investigating a breach of its own systems and brought it to light on Dec. 13 (see: SolarWinds Incident Response: 4 Essential Security Alerts).
To date, SolarWinds believes that nearly 18,000 of its customers may have installed the Trojanized software, which it first began inadvertently issuing in March. On Thursday, the Texas-based company released additional fixes for various versions of its Orion products.
And while the investigation is still ongoing, the U.S. Cybersecurity and Infrastructure Security Agency noted that the agency's investigators now have evidence that the hackers used other attack vectors besides the compromised SolarWinds Orion platform to gain access to various networks and plant backdoors. CISA has, so far, not revealed the other attack vectors that may have been used by the hackers.
Microsoft has previously warned that around 40 of its customers were victims of the second-stage attack once the Sunburst backdoors were planted. Kevin Mandia, CEO of FireEye, estimates that attackers likely focused on about 50 extremely high-value targets. Each of these targets would have been infected with second-stage malware, giving attackers the ability to execute code remotely on victims' systems, steal data, read emails and potentially hack business partners.
More Organizations Affected
On Wednesday, CISA warned that federal, state and local governments are among the many victims of the supply chain attack and that the targeted organizations "may need to rebuild all network assets" (see: CISA Warns SolarWinds Incident Response May Be Substantial).
Some of the bigger federal agencies affected by the SolarWinds breach reportedly include the National Institutes of Health, as well as the Commerce, Homeland Security, State, Treasury and Energy departments. U.S. Sen. Ron Wyden, D-Ore., the top Democrat on the Senate Finance Committee has said this week that the breach at Treasury appeared "significant" (see: US Treasury Suffered 'Significant' SolarWinds Breach).
Some private companies and organizations that were found infected by the Sunburst malware include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations.
The identities of the hackers behind this massive campaign are not formally known, but U.S. officials such as Secretary of State Mike Pompeo and former Attorney General William Barr have pointed the finger at Russia. Last Saturday, President Donald Trump downplayed both the significance of the breach and Russia's connection to the attack. Russia itself has denied any involvement (see: President Trump Downplays Impact of SolarWinds Breach).