While investigating the impact of the recent SolarWind hack, on December 15th Microsoft reported to CrowdStrike that threat actors attempted to read CrowdStrike’s emails by using a compromised Microsoft Azure reseller’s account.
“Specifically, they identified a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago.” reads the post published by Crowdstrike. “There was an attempt to read email, which failed as confirmed by Microsoft. As part of our secure IT architecture, CrowdStrike does not use Office 365 email.”
“CrowdStrike, which does not use SolarWinds, said it had found no impact from the intrusion attempt and declined to name the reseller.” reads the article published by Reuters.
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,” one of the people familiar with the investigation told Reuters. “If it had been using Office 365 for email, it would have been game over.”
The attempt was made months ago, but it failed because CrowdStrike does not use Office 365.
“Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,” said Microsoft senior Director Jeff Jones. “We have not identified any vulnerabilities or compromise of Microsoft product or cloud services.”
CrowdStrike experts decided to create their own tool because they face difficulties in using Azure’s administrative tools to enumerate privileges assigned to third-party resellers and partners in their Azure tenant.
“CrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and provide advice to mitigate risk.” states the security firm.
“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them. We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”
The CrowdStrike Reporting Tool for Azure (CRT) tool could be used by administrators to analyze their Microsoft Azure environment and review the privileges assigned to third-party resellers and partners.
The tool is available on GitHub.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Azure)