Malwarebytes is the latest discovered victim of the SolarWinds hackers, the security company revealed – except that it was not targeted through the SolarWinds platform.
The attack vehicle was not the Orion platform, but an email-protection application for Microsoft 365.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” it disclosed Tues.
Microsoft Office 365
Instead of using the SolarWinds Orion network-management system, the advanced persistent threat (APT) abused “applications with privileged access to Microsoft Office 365 and Azure environments,” the security firm commented — specifically, an email-protection application.
“What started out as the SolarWinds attack is slowly turning out to be perhaps the most sophisticated & wide-reaching cyber-campaign we have ever seen,” Ami Luttwak, CTO & co-founder of Wiz, commented via email. “It encompasses multiple companies used as backdoors to other companies, numerous tools & novel attack methods. This is far more than SolarWinds.”
Suspicious Calls
The Microsoft Security Response Center flagged-up suspicious activity from a 3rd-party email-security application used with Malwarebytes’ Microsoft Office 365 hosted service on Dec. 15. Activity was visible in the application’s API calls. Then, the company & Microsoft began an “extensive” investigation.
“A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials,” according to Malwarebytes.
“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.”
SolarWinds APT
While the tactics, techniques & procedures (TTPs) turned out to be consistent with those used by the SolarWinds APT, in this case the espionage effort only affected a “limited subset of internal company emails,” the firm noted.
“We found no evidence of unauthorised access or compromise in any of our internal on-premises & production environments….We do not use Azure cloud services in our production environments.”
A thorough investigation of all Malwarebytes source code, build & delivery processes showed no evidence of unauthorised access or compromise, it added.
Nation-State Attack
The Malwarebytes spokesperson noted only, “This was a nation-state attack against many vectors, including multiple security vendors.” The company declined to provide additional information on the TTPs linking this attack to the SolarWinds attackers.
“Why are the SolarWinds hackers going after security companies? When you piece together the puzzle it becomes scary,” Luttwak pondered.
Tools & Capabilities
“They are trying to feed the beast, the more power they have, it gives them more tools & capabilities to attack more companies & get their capabilities as well. If we think about how this all started, they were after the FireEye tools… it is like a game, they are attacking whoever has additional skills they can get.”
He further added, “What does a company like Malwarebytes… have? Well… endless capabilities. Every sensitive computer out there runs a security agent, most of them even have a cloud portal that allows to run privileged commands on any computer directly.”
Other Attack Methods
The SolarWinds espionage attack, which has affected several US Govt. agencies, tech companies like Microsoft & FireEye, & many others, began with a ‘poisoned software update’ that delivered the Sunburst backdoor to around 18,000 organisations last Spring.
After the initial attack, the threat players (believed to have links to Russia) selected specific targets for further infiltration, which they did over the course of several months. The compromises were discovered in Dec.
Supply-Chain Attack
The US Cybersecurity & Infrastructure Security Agency (CISA) announced earlier in Jan. that the adversary did not only rely on the SolarWinds supply-chain attack but also used additional means to compromise high-value targets, by exploiting administrative or service credentials.
“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long & active campaign that has impacted so many high-profile targets,” according to Malwarebytes.
“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new & complex attacks often associated with nation-state actors.”
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
