Malwarebytes has become the latest technology provider to admit it was hit by the same threat actor that compromised SolarWinds.
Although the cybersecurity vendor doesn’t use the SolarWinds Orion network management software that was infected with a backdoor, Malwarebytes CEO Marcin Kleczynski said the same attacker — dubbed UNC2452 by FireEye — got into its Microsoft cloud applications.
“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” the Jan. 19 statement said.
After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”
On Tuesday, FireEye issued a detailed white paper outlining how UNC2452 exploits Microsoft 365. Other victims of this group to varying degrees include Cisco, FireEye and CrowdStrike.
Kleczynski said Microsoft’s Security Response Center tipped off Malwarebytes on Dec. 15 about suspicious activity from a third-party application in its Office 365 environment with the tactics, techniques and procedures of the same advanced threat actor involved in the SolarWinds attacks.
Creeping into Office 365
An investigation showed the attackers leveraged what Kleczynski said was a “dormant email protection product within our Office 365 tenant” that allowed access to a limited subset of internal company emails. The company doesn’t use Azure cloud services in production environments.
However, the statement noted that as far back as 2019, flaws were identified in Azure Active Directory. Access privileges could be escalated by assigning credentials to applications, leading to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph. The statement also noted U.S. government researchers discovered that UNC2552 used password guessing and spraying techniques to gain access to some victims.
“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account,” Klecanski said. “From there, they can authenticate using the key and make API calls to request emails via ‘MSGraph.’
CrowdStrike has released a tool to help organizations identify and mitigate risks in Azure Active Directory.