The Russian hackers behind the massive SolarWinds attack gained access to a limited subset of Malwarebytes’ internal company emails stored in Microsoft Office 365.
The endpoint security vendor said it received information 15 December from the Microsoft Security Response Center about suspicious activity from a third-party application in its Office 365 tenant, Malwarebytes CEO Marcin Kleczynski wrote in a blog post Tuesday. The suspicious activity was consistent with the tactics, techniques of procedures of the hacker behind the SolarWinds attack.
Malwarebytes’ incident response group and Microsoft’s Detection and Response Team joined forces to perform an extensive investigation of both Malwarebytes’ cloud and on-premises environments for any activity related to the API calls that trigged the initial alert, Kleczynski said. Malwarebytes doesn’t itself use the SolarWinds Orion network monitoring tool that hackers for months injected malicious code into.
“The investigation indicates the attackers leveraged a dormant email production product within our Office 365 tenant that allowed access to a limited subset of internal company emails,” Kleczynski wrote in the blog post.
Kleczynski said Malwarebytes immediately performed a thorough investigation of all its source code, build and delivery processes, including reverse engineering the company’s own software. The company’s internal systems show no evidence of unauthorized access or compromise in any on-premises and production environments, and Malwarebytes’ software remains safe to use, according to Kleczynski.
The Malwarebytes compromise confirms the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments, according to Kleczynski. Malwarebytes doesn’t use Azure cloud services in its production environments, he said.
In the Malwarebytes situation, Kleczynski said the threat actor added a self-signed certificate with credentials to the service principal account. From there, Kleczynski said hackers can authenticate using the key and make API calls to request emails via Microsoft Graph.
“The adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials,” Kleczynski wrote. “Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant.”
Kleczynski noted that security researcher Dirk-jan Mollema had two years ago exposed a flaw in Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, Mollema found that the vulnerability still existed and essentially provided backdoor access to principals’ credentials in Microsoft Graph and Azure Active Directory Graph, Kleczynski said.
Microsoft didn’t immediately respond to a request for comment from CRN.
Like Malwarebytes, Sunnyvale, Calif.-based endpoint security rival CrowdStrike was contacted on Dec. 15 by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, CrowdStrike CTO Michael Sentonas disclosed Dec. 23.
The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email, according to Sentonas.
Similarly, Microsoft recently informed Mimecast that a sophisticated threat actor had compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, Mimecast said Jan. 12. The compromised certificate was used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365.
Mimecast declined to answer CRN questions about whether its breach was carried out by the same group who attacked SolarWinds. But three cybersecurity officials told Reuters Jan. 12 they suspected the hackers who compromised Mimecast were the same group that broke into SolarWinds. The Washington Post reported that the SolarWinds attack was carried out by the Russian foreign intelligence service.
The fourth pure-play cybersecurity vendor to publicly disclose an attack in recent weeks is FireEye, which blew the lid off the hacking campaign Dec. 8 when the threat intelligence vendor said that it was breached in an attack designed to gain information on some of its government customers. The attacker was able to access some of FireEye’s internal systems, the company said.