Hackers behind the massive SolarWinds attack previously tried to hack cybersecurity specialist CrowdStrike through a Microsoft reseller’s Azure account. However, the hackers ultimately failed in doing so.
In a blog post CrowdStrike Chief Technology Officer Michael Sentonas informs that CrowdStrike is therefore launching a free tool to identify and help mitigate risks in Azure Active Directory.
“CrowdStrike was contacted by the Microsoft Threat Intelligence Center on December 15, 2020. Specifically, they identified a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago. There was an attempt to read email, which failed as confirmed by Microsoft. As part of our secure IT architecture, CrowdStrike does not use Office 365 email,” said Michael Sentonas .
In its role supporting organizations impacted by the SUNBURST incident, the CrowdStrike Services team has created a community tool called CrowdStrike Reporting Tool for Azure (CRT) to quickly and easily pull up these excessive permissions and other important information about an Azure AD environment.
“This includes delegated permissions and application permissions, Federation configurations, Federation trusts, mail forwarding rules, Service Principals, objects with KeyCredentials, and more. Of note, due to the lack of documentation of Microsoft API capabilities, CRT does not pull critical information regarding partner tenant permissions, which includes delegated admin access. We have detailed steps below enabling you to view this critical information manually in the Microsoft 365 admin center; this is also documented in the CRT readme.
“We have made this tool available to the community in our CrowdStrike github repository. We recommend that all Azure AD administrators review their Azure AD configuration to help determine if they have been impacted and take steps to prevent intrusions. We hope this tool will assist organizations around the world,” says Sentonas.