Security firm Malwarebytes said it was raped by the same nation-state sponsored hackers who compromised at least a dozen US government agencies and private companies.
The attackers are best known for first hacking Austin, Texas-based SolarWinds, compromising its software distribution system and using it to infect the networks of customers who were using SolarWinds network management software. In an online notice, however, Malwarebytes said the attackers were using a different vector.
“Although Malwarebytes does not use SolarWinds, we, like many other companies, have recently been targeted by the same threat actor,” the advisory states. “We can confirm the existence of another vector of intrusion that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”
Investigators determined that the attacker had gained access to a limited subset of internal company emails. So far, investigators have found no evidence of unauthorized access or compromise in Malwarebytes production environments.
The notice is not the first time investigators have said that the SolarWinds software supply chain attack was not the only means of infection.
When the mass compromise was revealed last month, Microsoft said hackers also stole signing certificates that allowed them to impersonate one of a target’s existing users and accounts through the language. security assertion markup. Usually abbreviated as SAML, XML enables identity providers to exchange authentication and authorization data with service providers.
Twelve days ago, the Cybersecurity & Infrastructure Security Agency said the attackers may have gained initial access by guessing or pulverizing a password or by exploiting administrative or service credentials.
“In our particular case, the threat actor added a self-signed certificate with credentials to the main service account,” wrote Marcin Kleczynski, researcher at Malwarebytes. “From there, they can authenticate using the key and make API calls to request emails through MSGraph.”
Email management provider Mimecast also said last week that hackers compromised a digital certificate it issued and used it to target certain customers who were using it to encrypt the data they sent. and received via the company’s cloud service. While Mimecast did not say the certificate compromise was related to the current attack, the similarities make it likely that the two attacks are related.
Because attackers used their access to the SolarWinds network to compromise the company’s software creation system, researchers at Malwarebytes investigated the possibility that they too could be used to infect their customers. So far, Malwarebytes has stated that it has no evidence of such an infection. The company also inspected its source code repositories for signs of malicious changes.
Malwarebytes said they learned of the infection from Microsoft on December 15, two days after the SolarWinds hack was first disclosed. Microsoft has identified the network compromise through suspicious activity of a third-party application in the Microsoft Office 365 client from Malwarebytes. The tactics, techniques and procedures of the Malwarebytes attack were similar in key terms to the threat actor involved in the SolarWinds attacks.
Malwarebytes’ notice marks the fourth time a company has revealed it has been targeted by SolarWinds hackers. Microsoft and security companies FireEye and CrowdStrike were also targeted, although CrowdStrike said the attempt to infect their network failed. Government agencies that would be affected include the Ministries of Defense, Justice, Treasury, Commerce and Homeland Security as well as National Institutes of Health.