Security firm Malwarebytes was infected by same hackers who hit SolarWinds

Getty Images

Security firm Malwarebytes said it was breached by the unvaried nation-state-sponsored hackers who compromised a dozen or more US government agencies and own companies.

The attackers are best known for first hacking into Austin, Texas-based SolarWinds, compromising its software-distribution modus operandi and using it to infect the networks of customers who used SolarWinds’ network administration software. In an online notice, however, Malwarebytes said the attackers Euphemistic pre-owned a different vector.

“While Malwarebytes does not use SolarWinds, we, like numberless other companies were recently targeted by the same threat actor,” the give attention to stated. “We can confirm the existence of another intrusion vector that applies by abusing applications with privileged access to Microsoft Office 365 and Azure atmospheres.”

Investigators have determined that the attacker gained access to a minimal subset of internal company emails. So far, the investigators have found no denote of unauthorized access or compromise in any Malwarebytes production environments.

The notice isn’t the from the word go time investigators have said the SolarWinds software supply check attack wasn’t the sole means of infection.

When the mass compromise obtained to light last month, Microsoft said the hackers also shawl signing certificates that allowed them to impersonate any of a target’s abiding users and accounts through the Security Assertion Markup Language. Typically brief as SAML, the XML-based language provides a way for identity providers to exchange authentication and authorization facts with service providers.

Twelve days ago, the Cybersecurity & Infrastructure Safe keeping Agency said that the attackers may have obtained initial access by spurning password guessing or password spraying or by exploiting administrative or service credentials.


“In our particular instance, the threat actor added a self-signed certificate with credentials to the use principal account,” Malwarebytes researcher Marcin Kleczynski wrote. “From there, they can confirm using the key and make API calls to request emails via MSGraph.”

Last week, email top brass provider Mimecast also said that hackers compromised a digital certificate it discharged and used it to target select customers who use it to encrypt data they sent and take home through the company’s cloud-based service. While Mimecast didn’t say the certificate compromise was allied to the ongoing attack, the similarities make it likely that the two attacks are common.

Because the attackers used their access to the SolarWinds network to compromise the Theatre troupe’s software build system, Malwarebytes researchers investigated the possibility that they too were being old to infect their customers. So far, Malwarebytes said it has no evidence of such an infection. The group has also inspected its source code repositories for signs of malicious mutates.

Malwarebytes said it first learned of the infection from Microsoft on December 15, two times after the SolarWinds hack was first disclosed. Microsoft identified the network compromise including suspicious activity from a third-party application in Malwarebytes’ Microsoft Establishment 365 tenant. The tactics, techniques, and procedures in the Malwarebytes attack were correspond to in key ways to the threat actor involved in the SolarWinds attacks.

Malwarebytes’ detect marks the fourth time a company has disclosed it was targeted by the SolarWinds hackers. Microsoft and sanctuary firms FireEye and CrowdStrike have also been targeted, although CrowdStrike has said the endeavour to infect its network was unsuccessful. Government agencies reported to be affected categorize the Departments of Defense, Justice, Treasury, Commerce, and Homeland Security as grammatically as the National Institutes of Health.

Leave a Reply

Your email address will not be published. Required fields are marked *