Hackers Attack Microsoft Cloud Customer Apps Via Synnex

‘We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers. That is part of the review. Synnex is not an MSP, and we have no relationship with Kaseya and do not use its systems,’ Synnex’s Michael Urban tells CRN.

Hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment in an attack possibly tied to the Kaseya ransomware campaign.

The Fremont, Calif.-based distributor said it’s been working with Redmond, Wash.-based software giant Microsoft as well as a third-party cybersecurity vendor to conduct a thorough review of the attack since it was identified.

“We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers,“ Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in an emailed statement. ”That is part of the review. SYNNEX is not an MSP, and we have no relationship with Kaseya and do not use its systems.”

[Related: Kaseya VSA SaaS Coming Back Tuesday, On-Prem Wednesday]

Microsoft declined to comment on the Synnex attack. Synnex’s stock is down $3.37 (2.79 percent) to $117.50 in trading Tuesday morning, which is the lowest the company’s stock has traded since May 12.

“We are a long-term distribution partner for Microsoft and along with them, responded with the requisite urgency to address the recent attacks and to limit the potential activities of these bad actors,” Synnex President and CEO Dennis Polk said in a statement. “We will remain vigilant and focused on the security on our organization.”

Synnex said bad actors attempted on “a few instances” to access Microsoft cloud customer apps via the distributor, and the company declined to comment to CRN on how successful those attempts were. Synnex’s internal and external environments remained online throughout the entire attack, according to the distributor.

Bloomberg reported late Friday that Synnex was one of the managed service providers affected in the Kaseya cyberattack, which exploited a vulnerability in Kaseya’s on-premise VSA tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers. Synnex told CRN Sunday that the company didn’t have comment on the Bloomberg report.

Synnex said it supports Microsoft cloud applications and provides other services as part of its IT distribution business, but clarified that it isn’t an MSP in the context mentioned in recent media.

Microsoft has found itself at the center of several of the biggest cyberattacks in recent months, with the Russian foreign intelligence service (SVR) taking advantage of known Microsoft configuration issues during the SolarWinds campaign to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal reported in February.

The SVR was able go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service, according to the WSJ.

“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network as well as between the network and the cloud by creating false credentials impersonating legitimate users and bypassing multifactor authentication,” CrowdStrike CEO George Kurtz said during a Feb. 24 U.S. Senate hearing.

Then in March, Chinese hackers took advantage of vulnerabilities in on-premise versions of Microsoft Exchange servers to steal emails from at least 30,000 organizations across the United States. At the end of June, the SVR breached a Microsoft support agent’s machine and used the account information they obtained to launch highly-targeted attacks against customers, resulting in three cases of compromise.