Malwarebytes, a U.S. cyber-security firm, has announced that it was hacked by the same threat actors responsible for the SolarWinds breach.
Malwarebytes is not a SolarWinds customer, so this breach is not related to the SolarWinds supply chain attack.
In its official statement of the incident, Malwarebytes confirmed that the hackers abused applications with privileged access to Microsoft Office 365 and Azure environments. The result was a breach involving a limited subset of Malwerbyte’s internal company emails.
“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.” Malwarebytes said in their statement.
This breach was achieved through an Azure Active Directory vulnerability allowing users to escalate privileges by assigning credentials to applications.
Malwarebytes discovered that the threat actors added a self-signed certificate to ultimately request access to internal emails through MSGraph.
“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.”
Securing Azure tenants is challenging, especially through vendors that could be specifically targeted in a third-party breach campaign.
The Cybersecurity and Infrastructure Security Agency (CISA) released an alert outlining the tactics used by the SolarWinds threat actors. Initial attack vectors often involve Password Guessing, Password Spraying and/or exploiting inappropriately secured administrative for service credentials.
CISA identified a transition from user context to administrator rights for privilege escalation. This means privilege escalation prevention tactics could potentially fend off such attacks.
Internal communications seems to be the new coveted commodity amongst cybercriminals. This could be a purely coincidental development, or evidence of a broad reconnaissance campaign by the same threat actor.