Malwarebytes hacked by the same malicious actors behind SolarWinds

Cybersecurity company Malwarebytes has revealed it was targeted by the same group behind the giant SolarWinds hack. But while the perpetrators appear to be the same, the attack on Malwarebytes is separate from SolarWinds.

 

Image: Malwarebytes

California-based cybersecurity firm Malwarebytes revealed yesterday that they were recently targeted by the group responsible for the massive SolarWinds attack that was disclosed December last year. Because Malwarebytes does not use SolarWinds software, the breach is not related to said attack that also impacted companies like Microsoft and FireEye. Instead, another intrusion vector was used to target Malwarebytes. The cybersecurity company has confirmed that the other intrusion vector works by abusing applications that have privileged access to Microsoft Office 365 and Azure environments.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” CEO and co-founder of Malwarebytes Marcin Kleczynski said in a blog post explaining the incident

Malwarebytes first became aware of the attack on them on December 15 after Microsoft’s Security Response Center informed them about suspicious activity coming from a third-party application in their Microsoft Office 365 tenant. It was quickly determined that the tactics, techniques and procedures were consistent with the ones used by the malicious actors involved in the SolarWinds attack.

An extensive investigation performed together with Microsoft’s Detection and Response Team (DART) showed that the malicious actors used a dormant email protection product in Malwarebyte’s Office 365 tenant, which allowed them to access a limited subset of internal company emails.

“We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART),” Kleczynski said. “Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails,” he continued.

Malwarebytes also carefully investigated their source code, build and delivery processes, considering the nature of the SolarWinds attack. However, they found no evidence to suggest that attackers gained unauthorized access to any on-premises or production environments.

“Our software remains safe to use,” Kleczynski said.

Attackers are likely of Russian origin

In a statement released by the FBI, CISA, ODNI, and the NSA on January 5, the 4 US law enforcement agencies stated that the malicious actors behind the massive SolarWinds hack likely were Russian in origin.

In what has been called “an intelligence gathering effort”, malicious actors were able to gain access to SolarWinds systems and insert malicious code into Orion, an IT infrastructure management software. An update containing the malicious code was pushed to around 33,000 customers, 18,000 of which installed it. Despite the large number of entities that installed it, only a small number have been compromised and had follow-up activity in their systems. Among those compromised are numerous US government agencies, including the Department of Homeland Security, US Department of State, the Treasury Department, and the Department of Justice.

Malwarebytes has become the forth major cybersecurity firm to be targeted by attackers behind SolarWinds, after Microsoft, CrowdStrike, and FireEye.