The suspected Russian hackers behind SolarWinds supply chain attack tried to exploit Microsoft vendors’ accounts to target more potential victims, including those without SolarWinds trojanized software.
Cybersecurity company CrowdStrike disclosed that hackers gained access to the vendor that sold its Office licenses and attempted to read its emails, despite CrowdStrike not using the SolarWinds Orion software associated with the worst supply chain attack in history.
Although CrowdStrike did not identify the hackers as those who compromised SolarWinds, sources familiar with the matter confirmed the connection. In 2016, CrowdStrike was the first cybersecurity firm to associate the Democratic National Committee (DNC) hack with state-sponsored Russian hackers.
Russian hackers exploit Microsoft vendors’ access privileges
Microsoft’s Threat Intelligence Center warned CrowdStrike on Dec 15, that a reseller’s Microsoft Azure account was making suspicious calls to Microsoft’s cloud APIs within a 17-hour window. The reseller used the account to manage CrowdStrike’s Microsoft Office licenses.
The suspected Russian hackers exploited the reseller’s access privileges and attempted to activate CrowdStrike’s email ‘read’ privileges on its Office 365 instance.
However, the cybersecurity firm uses Microsoft Office programs only for document processing but not for email. An anonymous source told Reuters that had CrowdStrike “been using Office 365 for email, it would have been game over.”
CrowdStrike Chief Technology Officer Michael Sentonas said in a blog post that his company’s thorough review of Azure environment and other cloud infrastructure for the indicators of compromise (IoC) shared by Microsoft concluded that “CrowdStrike suffered no impact.”
Third-party resellers maintain Microsoft vendors’ access to client systems
Most Microsoft software licenses are sold through third parties, and those companies maintain persistent access as customers add products or employees. This prolonged access is for administrative purposes and usually happens without most clients’ knowledge.
Additionally, many customers cannot readily tell which Microsoft vendors still have access to their systems. Microsoft says that a reseller’s breach could compromise the tenants’ systems.
The tech-giant clarified that resellers should not necessarily retain access rights to their customers’ systems. Individual customers could manage their Microsoft Azure Active Directory access permissions through the provided dashboard and various application programming interfaces (APIs).
However, customers face challenges “managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them,” according to CrowdStrike’s CTO.
The leading personal computing software developer warned that, customers whose resellers still maintained access needed to take extra precautions. The Redmond, Washington-based company also clarified that a supply chain attack on Microsoft vendors was not considered as a breach on Microsoft.
Internal investigation confirms attacks exploiting Microsoft vendors’ access
Microsoft senior director Jeff Jones said that the company’s investigations discovered “incidents involving abuse of credentials to gain access, which can come in several forms.” However, Jones stated that the company had not “identified any vulnerabilities or compromise of Microsoft product or cloud services.”
Despite Microsoft’s assurances, the possibility of attacks, similar to SolarWinds’ supply chain attack, exploiting Microsoft vendors’ privileges is very concerning.
By targeting Microsoft vendors, the suspected Russian hackers expand the attack surface they could exploit to carry out a major supply chain attack. The number of resellers, and ultimately, customers targeted using similar methods remains a mystery.
Reuters initially reported that additional attack vectors involving Microsoft products were exploited in the SolarWinds’ supply chain attack. Federal investigators disputed the claim.
However, Microsoft was open to the idea of its products being exploited in similar attacks, warning that a supply chain attack was possible “from trusted vendor accounts where the attacker had compromised the vendor environment.”
Federal agencies involved in the initial investigation of the SolarWinds supply chain attack, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency (NSA) have not responded to the latest discovery.