Posted on December 26, 2020 at 4:30 PM
New Microsoft Warning: Azure Cloud Customers are Targeted by Hackers
Recent hacking incidents caused a number of investigations that revealed even greater hacking activity, with Microsoft uncovering an attempt to breach CrowdStrike’s email.
Recently, reports about US agencies and even FireEye being hacked made headlines. The security incidents caused a number of investigations to look into SolarWinds, which was used for creating a backdoor. One such investigation revealed yet another attempt to compromise protected systems.
Microsoft warns CrowdStrike of a recent hacking attempt
According to new evidence that came up during the SolarWinds investigation, there was an unsuccessful attempt to compromise cybersecurity company, CrowdStrike.
The failed attempt to hack the company and access its email was reported by Microsoft’s Threat Intelligence Center. The report came about 11 days ago, on December 15th, when Microsoft uncovered that a Microsoft Azure account belonging to a third-party reseller started making what the company called ‘abnormal calls.”
The calls were directed at Microsoft’s own cloud APIs, and they took place over a 17-hour period. This was not such a recent event. however, as it turned out that the calls took place several months ago.
To make matters worse, the undisclosed reseller’s Azure account was in charge of handling Microsoft Office licensing for its Azure customers. One of those customers is CrowdStrike itself.
CrowdStrike commented on the incident, noting that, while there was an attempt to access and read its emails — it was unsuccessful. The reason for this is the fact that the company doesn’t use Microsoft’s Office 365 email service.
More about the SolarWinds incidents
As mentioned, the incident came just after the SolarWinds supply chain attack, which took place earlier this month. As a result, there was a major deployment of a covert backdoor via malicious updates of a network monitoring software, SolarWinds Orion.
After the disclosure, a number of companies — including Intel, Cisco, NVIDIA, VMware, numerous US government agencies, and Microsoft — all managed to confirm the existence of tainted Orion installations in their own environments.
Another interesting detail is that this event came only about one week after Microsoft, which is also a SolarWinds user, denied that hackers managed to infiltrate its production systems. The company also denied finding evidence of an additional hacking group that was using Orion software to install backdoors.
Furthermore, the incident coincides with a recent Washington Post report, that notes that Russian hackers tied to the government managed to breach Microsoft’s cloud customers, and steal emails from at least one major firm from the private sector.
So far, Microsoft did not respond to these reports.
Additional efforts to stop further hacks
As for CrowdStrike, the firm also recently released a CrowdStrike Reporting Tool (CRT) for Azure. The tool is completely free, and it can be useful for organizations that need to review major amounts of permissions in their Azure Active Directory.
The took can also be used for determining configuration weaknesses, thus speeding up the process of finding vulnerabilities.
Meanwhile, the United States’ Cybersecurity Infrastructure and Security Agency (CISA) created its own, separate tool, which it named Sparrow. The tool is open-source, and it can be used for discovering compromised accounts and apps in Azure.
CISA commented on their move by saying that the tool is intended for use by incident responders. It is focused rather narrowly right now, only detecting activity that is tied to the recent authentication and identity-based attacks.
Lastly, there is SolarWinds, which also reacted to the recent string of issues by updating its own security advisory. On top of that, the firm urged its customers to update the Orion platform’s software to some of the safer versions, including 2019.4 HF 6 or 2020.2.1 HF 2. Both versions are capable of mitigating the risks regarding the vulnerabilities found within the software, meaning that users should be safe if they switch to a different version.
