Recent investigations have surfaced an attempt to breach CrowdStrike, a prominent cybersecurity firm, within the backdrop of the ongoing espionage campaign associated with SolarWinds. The intrusion was reportedly thwarted, revealing critical insights into the current landscape of cybersecurity threats.
On December 15, Microsoft’s Threat Intelligence Center flagged a third-party reseller’s Azure account for suspicious activity, noting it had initiated “abnormal calls” to the Microsoft cloud APIs over a span of 17 hours. This reseller is responsible for managing Microsoft Office licenses for various clients, including CrowdStrike.
Determined threat actors sought access to CrowdStrike’s email systems; however, this effort was ultimately unsuccessful. According to the company, the thwarting of this attack was attributed to their non-utilization of Microsoft’s Office 365 email service, thereby limiting potential access.
This incident surfaces amidst heightened scrutiny following the SolarWinds supply chain attack, which has become a significant case study in cybersecurity vulnerabilities. Such breaches, highlighted by the incorporation of covert backdoors—specifically the “Sunburst” malware—underline the sophisticated nature of current threats within corporate infrastructures.
In the aftermath of these revelations, multiple entities, including Microsoft, Cisco, and various U.S. government agencies, have reported discovering compromised Orion installations, underscoring the extensive ramifications of the SolarWinds debacle. This validates the potency of initial access tactics from the MITRE ATT&CK framework, particularly in the context of exploitation through third-party vendors, which has emerged as a prevalent method in recent cyber incidents.
In a related note, Microsoft, a direct customer of SolarWinds, has denied that their production systems were modified to enable further attacks. Concurrently, reports have emerged detailing that hackers allegedly associated with Russian government entities exploited reseller accounts within the Microsoft cloud infrastructure to steal proprietary data from private-sector organizations. This paints a dire picture of the challenges businesses face amidst evolving cyber threats.
In light of these events, CrowdStrike has launched a tool called the CrowdStrike Reporting Tool for Azure (CRT). This resource enables organizations to assess permissions within their Azure Active Directory or Office 365 environments, aiding in the identification of potential configuration weaknesses. This initiative aligns with the broader efforts of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has concurrently released a similar tool named Sparrow, aimed at strengthening defenses against identity and authentication-based threats.
Additionally, SolarWinds has issued updated security advisories, encouraging users to upgrade their Orion Platform software to curtail risks linked to vulnerabilities like Sunburst and Supernova. These measures highlight the urgent need for all organizations, regardless of their size, to prioritize cybersecurity in their operational frameworks.
