On Christmas Eve morning, I read two articles that showed me that the attacks on government agencies and private companies that came through SolarWinds just point to part of the problem. In other words, the Russians (or any other country or organization that wants to emulate them) don’t have to wait to find another network management company with poor internal security practices, in order to find other avenues by which to steal information and wreak havoc in the US. We’re providing them with plenty of other opportunities now, although neither of these articles points to any actual damages resulting from the attacks they describe. Dumb luck, I guess – but we can’t rely on that to carry us through the coming assaults.
The articles don’t seem to
describe the same incidents. I will discuss the first article in this post, and
the second one hopefully tomorrow.
This article
was by Ellen Nakashima of the Washington Post, who has become something
of a rock star among cybersecurity reporters. The article starts out, “Russian
government hackers have compromised Microsoft cloud customers and stolen emails
from at least one private-sector company, according to people familiar with the
matter, a worrying development in Moscow’s ongoing cyberespionage campaign
targeting numerous U.S. agencies and corporate computer networks.”
The article continues, “The
intrusions appear to have occurred via a Microsoft corporate partner that
handles cloud-access services, those familiar with the matter said.” Of course,
this isn’t surprising. I would be quite surprised if the attackers had been
able to succeed in a full-frontal assault on Microsoft’s cloud services
themselves.
But the point is that the
attackers didn’t have to do that. They followed the classic supply chain attack
route: If you can’t beat down the front door of your target, find a
vendor who doesn’t protect their front door nearly as well (and it seems few of
them do) and penetrate them. Then search their premises to find a key to get
you into your target (which can be many things, including simply the trust that customer employees place in employees of the vendor). In fact, I should have capitalized target, since Target
was the target (OK, OK - no more targets in this sentence. I promise) of the
first widely-reported supply chain attack, which came through an HVAC vendor
who had access to the retailer’s IT network (which also held the point of sale
systems that were the attackers’ ultimate goal – or target, if you will.
Sorry, can’t help myself!).
So in this case, rather than waste
their time trying to directly penetrate Azure (Microsoft’s cloud brand), the
attackers seem to have compromised a company whose business model includes
holding keys for access to Azure. The article points out that on December 15, “Microsoft
notified the cybersecurity firm CrowdStrike of an issue with a third-party
reseller that handles licensing for its Azure customers, according to a blog
post CrowdStrike published Wednesday. In its (blog) post, CrowdStrike alerted
customers that Microsoft had detected unusual behavior in
CrowdStrike’s Azure account and that ‘there was an attempt to read email, which
failed.’ CrowdStrike does not use Microsoft’s email service.”
In other words, someone was able
to access CrowdStrike’s Azure account, but was discovered when they tried to access
a nonexistent email service on the account. So it’s to Microsoft’s credit that
they were able to detect this anomalous behavior. Is this actually good news?
I’m afraid not. The article points
out “The troubling revelation comes several days after Microsoft’s president,
Brad Smith, said the Fortune 500 company had not seen any customers breached
through its services, including the vaunted Azure cloud platform used by
governments, major corporations and universities worldwide. ‘I think we can give
you a blanket answer that affirmatively states, no, we are not aware of any
customers being attacked through Microsoft’s cloud services or any of our other
services, for that matter, by this hacker,’ Smith told The Washington Post on
Dec. 17.”
Note that Mr. Smith made that
statement two days after Microsoft had notified CrowdStrike of the attempted
breach. So while he was technically correct that no customers had been attacked
through Azure itself, he conveniently left out the fact that at least one
customer had been attacked through their business partner. Moreover,
In a blog post last week, Microsoft
stated it was notifying “more than 40 customers” that they had been breached.
Some of them were compromised through the third party, people familiar with the
matter said.
Specifically, the adversary hacked
the reseller, stealing credentials that can be used to gain broad access to its
customers’ Azure accounts. Once inside a particular customer’s account, the
adversary had the ability to read — and steal — emails, among other
information.
In other words, at least 40 Azure
customers were penetrated through the same Azure reseller. The fact that
some of them were compromised through a breach of an Azure business partner, and not through a breach of Azure itself, is
cold comfort for those customers.
Here’s the problem: An attacker
who was more careful, and who had access to CrowdStrike’s network, might easily
have been able to access whatever data or applications CrowdStrike has on
Azure. The breach could have been just as damaging as the breaches of federal
agencies through SolarWinds seem to have been – and remember, federal agencies,
including the military and intelligence agencies, are already heavy users of
cloud services.
In other words, this has been a
two-level supply chain attack. The attacker’s targets were users of Azure, but
they couldn’t just attack Azure directly, as they did with SolarWinds. So they
had to attack a vendor to Azure. And the fact that they were able to penetrate
at least 40 organizations' Azure accounts shows that they achieved their goal of attacking an
Azure customer, even if they had to do this indirectly. It’s unfortunate that Brad
Smith doesn’t understand that.
PS: Kevin Perry just forwarded me this link to a new post by Dragos, which provides a lot of good information on responding to this incident in ICS environments. It includes a discussion of NERC CIP considerations.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment