The attack vector was not the Orion platform but rather an email-protection application for Microsoft 365.
Malwarebytes is the latest discovered victim of the SolarWinds hackers, the security company said – except that it wasn’t targeted through the SolarWinds platform.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” it disclosed in a Tuesday web posting.
Instead of using the SolarWinds Orion network-management system, the advanced persistent threat (APT) abused “applications with privileged access to Microsoft Office 365 and Azure environments,” the security firm said — specifically, an email-protection application.
“What started out as the SolarWinds attack is slowly turning out to be perhaps the most sophisticated and wide-reaching cyber-campaign we have ever seen,” Ami Luttwak, CTO and co-founder of Wiz, said via email. “It encompasses multiple companies used as backdoors to other companies, numerous tools and novel attack methods. This is far more than SolarWinds.”
Suspicious Microsoft 365 API Calls
The Microsoft Security Response Center flagged suspicious activity from a third-party email-security application used with Malwarebytes’ Microsoft Office 365 hosted service on Dec. 15. The activity was visible in the application’s API calls. After that, the company and Microsoft kicked off an “extensive” investigation.
“A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials,” according to Malwarebytes. “In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.”
While the tactics, techniques and procedures (TTPs) turned out to be consistent with those used by the SolarWinds APT, in this case the espionage effort only affected a “limited subset of internal company emails,” the firm noted. “We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments….We do not use Azure cloud services in our production environments.”
A thorough investigation of all Malwarebytes source code, build and delivery processes showed no evidence of unauthorized access or compromise, it added.
A Malwarebytes spokesperson noted only, “This was a nation-state attack against many vectors, including multiple security vendors.” The company declined to provide additional information on the TTPs linking this attack to the SolarWinds attackers.
“Why are the SolarWinds hackers going after security companies? When you piece together the puzzle it becomes scary,” Luttwak said. “They are trying to feed the beast, the more power they have, it gives them more tools and capabilities to attack more companies and get their capabilities as well. If we think about how this all started, they were after the FireEye tools… it’s like a game, they are attacking whoever has additional skills they can get.”
He added, “What does a company like Malwarebytes… have? Well… endless capabilities. Every sensitive computer out there runs a security agent, most of them even have a cloud portal that allows to run privileged commands on any computer directly.”
Other Attack Vectors Beyond SolarWinds
The SolarWinds espionage attack, which has affected several U.S. government agencies, tech companies like Microsoft and FireEye, and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in December.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced earlier in January that the adversary did not only rely on the SolarWinds supply-chain attack but also used additional means to compromise high-value targets by exploiting administrative or service credentials.
“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” according to Malwarebytes. “It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation-state actors.”