A cybersecurity firm and anti-malware software provider, Malwarebytes, came under a cyberattack late last year. The security firm said that the same threat actors, with alleged Russian ties, behind SolarWinds attacks accessed its internal emails.
Malwarebytes was not part of the SolarWinds supply-chain attack as the company does not use any software from the IT firm. But the same hackers breached the anti-malware firm's internal networks exploiting Microsoft Office 365. But Marcin Kleczynski, CEO and co-founder of the company, said the hackers only gained access to a limited subset of internal company emails and did not breach the internal production systems.
"We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails," Kleczynski wrote in a blog post.
How Did Hackers Gain Access?
Malwarebytes was alerted of a possible intrusion by Microsoft's security team on December 15. During its investigation, Malwarebytes found that hackers used applications with privileged access to take over Office 365 and Azure. According to Kleczynski, the attackers exploited an Azure Active Directory vulnerability to access company internal emails.
"We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks," Kleczynski added.
The intrusion was detected by Microsoft during its internal audit following SolarWinds hacks. The threat actors, also known as Dark Halo or UNC2452, deployed Teardrop and Sunburst malware to weaponize SolarWinds' software update. The vulnerability in Azure Active Directory was first observed by Dirk-jan Mollema in 2019. The researcher noticed that one could exploit the vulnerability to escalate privileges by assigning credentials to applications. It was not fixed and in September, the researcher observed that it could lead to backdoor access to the main account's credentials in Microsoft Graph and Azure AD Graph.
Is Malwarebytes Software Safe?
As the hackers behind SolarWinds trojanized a software update to infiltrate dozens of its clients, Malwarebytes found it necessary to investigate its software source codes to rule out the possibilities of an intrusion. As the company's production server was not on the Azure cloud, it was found that the source codes were not tampered with.
Malwarebytes collaborated with Microsoft's Detection and Response Team (DART) to conduct a thorough investigation for both cloud and on-premise applications. They did not find any intrusion. Hence the products are safe to use.
"Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use," Kleczynski said.