The SolarWinds cyberattack has continued to cause a lot of pain for many organizations in the cybersecurity industry.
Most recently, Malwarebytes has reported they have been targeted by the same nation-state actor that caused the SolarWinds attack, despite not using SolarWinds products.
The organization has confirmed "another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments."
Through an investigation into the incident, Malwarebytes was able to determine that only a limited subset of internal emails had been accessed. It also found no evidence of "unauthorized access or compromise in any of our internal on-premises and production environments."
Cyberattack impact on Malwarebytes
Malwarebytes was contacted by the Microsoft Security Response Center on December 15, 2020, warning of suspicious activity similar to the tactics, techniques, and procedures (TTPs) of the SolarWinds attack.
Here is how the company says it responded to this notification of suspicious activity:
"We immediately activated our incident response group and engaged Microsoft's Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.
Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use."
SolarWinds hackers attack in multiple ways
U.S. CISA has stated that the SolarWinds hackers did not rely solely on the SolarWinds supply chain attack, but used additional measures to compromise high-value targets by exploiting administrative or service credentials.
Back in 2019, a security researcher discovered a flaw with Azure Active Directory, in which a user could escalate privileges by assigning credentials to applications. Later that year, the same researcher found that flaw had not been fixed and basically led to backdoor access to principals' credentials into Microsoft Graph and Azure AD Graph.
A recent CISA report shows that threat actors could have gained initial access through password spraying and exploiting administrative or service credentials.
Here is what happened in Malwarebytes' case, according to the company:
"In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph."
Malwarebytes has encouraged everyone in the security industry to use this SolarWinds attack as an opportunity to come together and share any knowledge that is available.