After the massive SolarWinds’ Orion hack, Russian hackers have found a new point of entry into organizations. Attackers recently targeted CrowdStrike, an Azure cloud customer through Microsoft Azure reseller accounts. Even though the attack was unsuccessful, it reveals hackers’ intention to leverage new attack vectors to infiltrate organizations.
San Francisco-based cybersecurity company CrowdStrike disclosed that its network came under an attack from Russian state-backed attackers — also allegedly behind the recent SolarWinds hack that compromised multiple enterprises U.S. federal agencies. The attack, CrowdStrike revealed, did not impact the production and internal environments.
Microsoft contacted CrowdStrike in mid-December after they identified an attempted breach of CrowdStrike emails. Microsoft identified the infiltration attempt when one of CrowdStrike reseller’s Microsoft Azure accounts made abnormal calls to Microsoft cloud APIs several months ago. The account was used to manage CrowdStrike’s Microsoft Office licenses. “There was an attempt to read email, which failed as confirmed by Microsoft. As part of our secure IT architecture, CrowdStrike does not use Office 365 email,†CrowdStrike stated in a blog post.
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,†one of the people familiar with the investigation told ReutersOpens a new window . “If it had been using Office 365 for email, it would have been game over.â€
CrowdStrike’s investigation of the incident following Microsoft’s alert confirmed that the company had, in fact, not been breached. Nonetheless, cloud vendors are a new attack vector.
See Also: SolarWinds Orion Hack: U.S. Federal Agencies & Private Companies Impacted
The Russian nation-state group APT29 is reportedly behind the SolarWinds’ Orion attack and is also linked to the CrowdStrike and the recent FireEye hack.
Chris HickmanOpens a new window , Chief Security Officer at Keyfactor shared hackers exploited X.509 certificates and keys as a tool to penetrate and distribute while avoiding detection at the same time.Â
“Attackers were able to inject malware into the build process, which is difficult to detect,†Hickman told Toolbox. “This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization’s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management,†he said.
Since the attack on FireEye and SolarWinds, several enterprises including Intel, NVIDIA, VMware, Cisco, discovered compromised Orion setups within their environments. SolarWinds estimated that 18,000 of its customers had installed the trojanized version of their platform. These include Pima County in Arizona, Iowa State University, and Departments of Defense, Commerce and Treasury, Homeland Security, and State.
FireEye CEO Kevin Mandia saidOpens a new window , “The reality is: The blast radius for this, I kind of explain it with a funnel. It’s true that over 300,000 companies use SolarWinds, but you come down from that total number down to about 18,000 or so companies that actually had the backdoor or malicious code in a network. And then you come down to the next part. It’s probably only about 50 organizations or companies, somewhere in that zone, that are genuinely impacted by the threat actor.â€
The CrowdStrike hack attempt is the first time the threat actors have dragged resellers as part of their infiltration campaign. It demonstrates how attackers are exploring new attack vectors such as software updates to carry out their malicious activities. CrowdStrike’s response comes in the form of a community tool to enable global admins to effortlessly get important and relevant information, detect inadequacies on respective Azure cloud environments, and eliminate the complexities associated with it. The tool, called CrowdStrike Reporting Tool for Azure is available on GitHubOpens a new window .
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!