Security firm Malwarebytes said it has been breached by the same nation-state-sponsored hackers that have compromised a dozen or more U.S. government agencies and private companies.
Attackers are best known for first breaking into Austin, Texas-based SolarWinds, compromising their software distribution system and using it to infect customer networks that used SolarWinds network management software. In an online warning, however, Malwarebytes said the attackers used a different vector.
“Although Malwarebytes does not use SolarWinds, we, like many other companies, were recently targeted by the same threat actor,” says the warning. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”
The investigators determined that the attacker gained access to a limited subset of the company’s internal emails. So far, investigators have found no evidence of unauthorized access or compromise in any Malwarebytes production environment.
The warning is not the first time that researchers say the attack on the SolarWinds software supply chain was not the only means of infection.
When the massive compromise surfaced last month, Microsoft said the hackers also stole signing certificates that allowed them to impersonate existing users and accounts through the Security Assertion Markup Language. Usually abbreviated as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.
Twelve days ago, the Cybersecurity & Infrastructure Security Agency said that attackers may have obtained initial access using password guessing or spraying or exploiting administrative or service credentials.
Mimecast
“In our specific case, the threat agent added a self-signed certificate with credentials to the main service account,” wrote Malwarebytes researcher Marcin Kleczynski. “From there, they can authenticate using the key and make API calls to request emails via MSGraph.”
Last week, email management provider Mimecast also said that hackers compromised a digital certificate that they issued and used it to target select customers who use it to encrypt data they sent and received through the company’s cloud-based service. Although Mimecast did not say that the certificate compromise was related to the ongoing attack, the similarities make it likely that the two attacks are related.
Because attackers used their access to the SolarWinds network to compromise the company’s software-building system, Malwarebytes researchers investigated the possibility that they, too, were being used to infect their customers. So far, Malwarebytes said there was no evidence of such an infection. The company also inspected its source code repositories for signs of malicious changes.
Malwarebytes said it learned of the Microsoft infection on December 15, two days after the SolarWinds hack was first released. Microsoft identified the network compromise through suspicious activity from a third-party application on Malwarebytes’ Microsoft Office 365 tenant. The tactics, techniques and procedures in the Malwarebytes attack were similar in essential respects to the threat actor involved in the SolarWinds attacks.
Malwarebytes’ warning marks the fourth time a company has revealed that it has been targeted by SolarWinds hackers. Microsoft and security companies FireEye and CrowdStrike were also targeted, although CrowdStrike said the attempt to infect its network was unsuccessful. Affected government agencies include the Departments of Defense, Justice, Treasury, Trade and Homeland Security, as well as the National Institutes of Health.