[BreachExchange] Hackers Attack Microsoft Cloud Customer Apps Via Synnex

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jul 6 15:48:16 EDT 2021


https://www.crn.com/news/security/hackers-attack-microsoft-cloud-customer-apps-via-synnex?itc=refresh

Hackers attempted to use Synnex to gain access to customer applications
within the Microsoft cloud environment in an attack possibly tied to the
Kaseya ransomware campaign.

The Fremont, Calif.-based distributor said it’s been working with Redmond,
Wash.-based software giant Microsoft as well as a third-party cybersecurity
vendor to conduct a thorough review of the attack since it was identified.

“We do not know if this is related to the Kaseya ransomware attack on MSPs
and some end customers,“ Michael Urban, Synnex’s president of worldwide
technology solutions distribution, said in an emailed statement. ”That is
part of the review. SYNNEX is not an MSP, and we have no relationship with
Kaseya and do not use its systems.”

Microsoft didn’t immediately respond to a CRN request for comment. Synnex’s
stock is down $3.37 (2.79 percent) to $117.50 in trading Tuesday morning,
which is the lowest the company’s stock has traded since May 12.

“We are a long-term distribution partner for Microsoft and along with them,
responded with the requisite urgency to address the recent attacks and to
limit the potential activities of these bad actors,” Synnex President and
CEO Dennis Polk said in a statement. “We will remain vigilant and focused
on the security on our organization.”

Synnex said bad actors attempted on “a few instances” to access Microsoft
cloud customer apps via the distributor, and the company declined to
comment to CRN on how successful those attempts were. Synnex’s internal and
external environments remained online throughout the entire attack,
according to the distributor.

Bloomberg reported late Friday that Synnex was one of the managed service
providers affected in the Kaseya cyberattack, which exploited a
vulnerability in Kaseya’s on-premise VSA tool to compromise nearly 60 MSPs
and encrypt the data and demand ransom payments from up to 1,500 of their
end user customers. Synnex told CRN Sunday that the company didn't comment
on the Bloomberg report.

Synnex said it supports Microsoft cloud applications and provides other
services as part of its IT distribution business, but clarified that it
isn’t an MSP in the context mentioned in recent media.

Microsoft has found itself at the center of several of the biggest
cyberattacks in recent months, with the Russian foreign intelligence
service (SVR) taking advantage of known Microsoft configuration issues
during the SolarWinds campaign to trick systems into giving them access to
emails and documents stored on the cloud, The Wall Street Journal reported
in February.

The SVR was able to go from one cloud-computing account to another by
taking advantage of little-known idiosyncrasies in the way software
authenticates itself on the Microsoft service, according to the WSJ.

“The threat actor took advantage of systemic weaknesses in the Windows
authentication architecture, allowing it to move laterally within the
network as well as between the network and the cloud by creating false
credentials impersonating legitimate users and bypassing multifactor
authentication,” CrowdStrike CEO George Kurtz said during a Feb. 24 U.S.
Senate hearing.

Then in March, Chinese hackers took advantage of vulnerabilities in
on-premise versions of Microsoft Exchange servers to steal emails from at
least 30,000 organizations across the United States. At the end of June,
the SVR breached a Microsoft support agent’s machine and used the account
information they obtained to launch highly-targeted attacks against
customers, resulting in three cases of compromise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210706/72a4e694/attachment.html>


More information about the BreachExchange mailing list