Malwarebytes targeted by SolarWinds attackers

By Dylan Bushell-Embling
Thursday, 21 January, 2021

Malwarebytes has disclosed it has been targeted by the same suspected state-sponsored attacker behind the high-profile SolarWinds Orion breach.

The company’s CEO and co-founder Marcin Kleczynski revealed in a blog post that it has been one of many companies in the security industry to be targeted by the same threat actor.

Although Malwarebytes does not use SolarWinds software, the company was targeted and compromised using an intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.

An investigation by the company has determined that the attacker only gained access to “a limited subset of internal company emails”.

Malwarebytes was alerted to the attack after receiving information from the Microsoft Security Response Center last month about suspicious activity from a third-party application in the company’s Office 365 tenant.

The company’s incidence response group worked with Microsoft’s Detection and Response Team to probe its cloud and on-premises environments for any activity related to the API calls that triggered the initial alert.

Unlike the SolarWinds attack, Malwarebytes’ investigation found no evidence of any compromise of software releases or on-premise or production environments.

But the attack demonstrates that the threat actor did not rely on the SolarWinds supply-chain attack for its attacks on high-value targets, but used additional means involving exploiting administrative or service credentials, Malwarebytes said.

The attack also highlights the threat of attackers abusing administrative privileges to gain access to tenants on third-party applications. In this instance, the attacker added a self-signed certificate with credentials to the service principal account, and was able to authenticate using the key and make API calls to request emails through MSGraph.

“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” Kleczynski said.

“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.”

Image credit: ©stock.adobe.com/au/monsitj