Saturday, December 26, 2020

It’s not just the SolarWinds attacks anymore

On Christmas Eve morning, I read two articles that showed me that the attacks on government agencies and private companies that came through SolarWinds just point to part of the problem. In other words, the Russians (or any other country or organization that wants to emulate them) don’t have to wait to find another network management company with poor internal security practices, in order to find other avenues by which to steal information and wreak havoc in the US. We’re providing them with plenty of other opportunities now, although neither of these articles points to any actual damages resulting from the attacks they describe. Dumb luck, I guess – but we can’t rely on that to carry us through the coming assaults.

The articles don’t seem to describe the same incidents. I will discuss the first article in this post, and the second one hopefully tomorrow.

This article was by Ellen Nakashima of the Washington Post, who has become something of a rock star among cybersecurity reporters. The article starts out, “Russian government hackers have compromised Microsoft cloud customers and stolen emails from at least one private-sector company, according to people familiar with the matter, a worrying development in Moscow’s ongoing cyberespionage campaign targeting numerous U.S. agencies and corporate computer networks.”

The article continues, “The intrusions appear to have occurred via a Microsoft corporate partner that handles cloud-access services, those familiar with the matter said.” Of course, this isn’t surprising. I would be quite surprised if the attackers had been able to succeed in a full-frontal assault on Microsoft’s cloud services themselves.

But the point is that the attackers didn’t have to do that. They followed the classic supply chain attack route: If you can’t beat down the front door of your target, find a vendor who doesn’t protect their front door nearly as well (and it seems few of them do) and penetrate them. Then search their premises to find a key to get you into your target (which can be many things, including simply the trust that customer employees place in employees of the vendor). In fact, I should have capitalized target, since Target was the target (OK, OK - no more targets in this sentence. I promise) of the first widely-reported supply chain attack, which came through an HVAC vendor who had access to the retailer’s IT network (which also held the point of sale systems that were the attackers’ ultimate goal – or target, if you will. Sorry, can’t help myself!).

So in this case, rather than waste their time trying to directly penetrate Azure (Microsoft’s cloud brand), the attackers seem to have compromised a company whose business model includes holding keys for access to Azure. The article points out that on December 15, “Microsoft notified the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for its Azure customers, according to a blog post CrowdStrike published Wednesday. In its (blog) post, CrowdStrike alerted customers that Microsoft had detected unusual behavior in CrowdStrike’s Azure account and that ‘there was an attempt to read email, which failed.’ CrowdStrike does not use Microsoft’s email service.”

In other words, someone was able to access CrowdStrike’s Azure account, but was discovered when they tried to access a nonexistent email service on the account. So it’s to Microsoft’s credit that they were able to detect this anomalous behavior. Is this actually good news?

I’m afraid not. The article points out “The troubling revelation comes several days after Microsoft’s president, Brad Smith, said the Fortune 500 company had not seen any customers breached through its services, including the vaunted Azure cloud platform used by governments, major corporations and universities worldwide. ‘I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft’s cloud services or any of our other services, for that matter, by this hacker,’ Smith told The Washington Post on Dec. 17.”

Note that Mr. Smith made that statement two days after Microsoft had notified CrowdStrike of the attempted breach. So while he was technically correct that no customers had been attacked through Azure itself, he conveniently left out the fact that at least one customer had been attacked through their business partner. Moreover,

In a blog post last week, Microsoft stated it was notifying “more than 40 customers” that they had been breached. Some of them were compromised through the third party, people familiar with the matter said.

Specifically, the adversary hacked the reseller, stealing credentials that can be used to gain broad access to its customers’ Azure accounts. Once inside a particular customer’s account, the adversary had the ability to read — and steal — emails, among other information.

In other words, at least 40 Azure customers were penetrated through the same Azure reseller. The fact that some of them were compromised through a breach of an Azure business partner, and not through a breach of Azure itself, is cold comfort for those customers.

Here’s the problem: An attacker who was more careful, and who had access to CrowdStrike’s network, might easily have been able to access whatever data or applications CrowdStrike has on Azure. The breach could have been just as damaging as the breaches of federal agencies through SolarWinds seem to have been – and remember, federal agencies, including the military and intelligence agencies, are already heavy users of cloud services.

In other words, this has been a two-level supply chain attack. The attacker’s targets were users of Azure, but they couldn’t just attack Azure directly, as they did with SolarWinds. So they had to attack a vendor to Azure. And the fact that they were able to penetrate at least 40 organizations' Azure accounts shows that they achieved their goal of attacking an Azure customer, even if they had to do this indirectly. It’s unfortunate that Brad Smith doesn’t understand that.

PS: Kevin Perry just forwarded me this link to a new post by Dragos, which provides a lot of good information on responding to this incident in ICS environments. It includes a discussion of NERC CIP considerations. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment