CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers

The suspected Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike says.

The suspected Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike said.

The Sunnyvale, Calif.-based endpoint security giant said it was contacted on Dec. 15 by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, CrowdStrike Chief Technology Officer Michael Sentonas wrote in a blog post Wednesday.

The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and Sentonas said the hackers attempted to read the company’s email. That attempt was unsuccessful, Sentonas said, adding that CrowdStrike’s findings were confirmed by Microsoft. As part of CrowdStrike’s secure IT architecture, Sentonas said the company doesn’t use Office 365 email.

[Related: SolarWinds Deploys CrowdStrike To Secure Systems After Hack]

“CrowdStrike conducted a thorough review into not only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft,” Sentonas wrote in the blog post. “The information shared by Microsoft reinforced our conclusion that CrowdStrike suffered no impact.”

CrowdStrike’s review in the wake of the SolarWinds hack was “extensive” and included both the company’s production and internal environments, according to Sentonas. The firm’s stock is up $45.23 (25.7 percent) to $221.12 per share since news of Russian foreign intelligence service hackers injecting malware into updates of SolarWinds’ Orion network monitoring platform went public on Dec. 13.

The reseller was not identified in CrowdStrike’s blog post, and the company declined further comment on the attempted attack.

Microsoft told CRN that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. This abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.

Customers do not have to grant resellers access to their tenant, according to Microsoft, with the company noting that many customers do not. Microsoft said it provides dashboard and API interfaces which identify users who have elevated privileges in Azure Active Directory, and has also offered specific investigation tools to help assess risk from current attacks.

“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” Jeff Jones, Microsoft’s senior director of communications, said in a statement. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”

Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.

SolarWinds announced late Dec. 17 that it had rolled out CrowdStrike’s Falcon Endpoint Protection across the endpoints on its systems to ensure that the company’s internal systems were secure following the massive cyberattack, according to a filing with the U.S. Securities and Exchange Commission (SEC). The next day, CrowdStrike’s stock shot up $18.40 (10 percent) to $203.75 per share.

Through its analysis, CrowdStrike experienced first-hand the challenges customers face auditing Azure Active Directory permissions, which he said is a time-consuming and complex process. Specifically, Sentonas said it’s difficult to manage Azure’s administrative tools to determine what relationships and permissions exist within Azure tenants, particularly when dealing with third-party partners or resellers.

“One of the reasons why these attack vectors are so difficult to mitigate is the inherent complexities that organizations face with federated SSO [single sign-on] infrastructure and in managing Azure tenants,” Sentonas wrote in the blog post. “We hope the findings and recommendations from our experience help your organization.”

Many of the steps required to investigate Azure’s administrative tools are not documented, and there’s an inability to audit via API, Sentonas said. Additionally, Microsoft requires global admin rights to view important information, which CrowdStrike found to be excessive, Sentonas said. Key information should be easily accessible, according to Sentonas.

The New York Times reported Monday that the SolarWinds hackers had seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership.

In response to its experience, he said CrowdStrike has created a tool to help customers quickly and easily pull up excessive permissions and other important information about their Azure Active Directory environment. This includes delegated permissions, application permissions, Federation configurations, Federation trust, mail forwarding rules, Service Principals and objects with KeyCredentials.

Due to the lack of Microsoft API capability documentation, he said CrowdStrike Reporting Tool for Azure is unable to pull in critical information regarding partner tenant permissions, including delegated admin access. Firms should review their Azure tenants to understand if they need to take any configuration or mitigation steps, particularly as it relates to third parties that may be present in their Azure ecosystem.

“It is critical to ensure you review your partner/reseller access, and you mandate multi-factor authentication (MFA) for your partner tenant if you determine it has not been configured,” Sentonas said.