[BreachExchange] Security firm Malwarebytes was infected by same hackers who hit SolarWinds

[Destry Winant]

https://arstechnica.com/information-technology/2021/01/security-firm-malwarebytes-was-infected-by-same-hackers-who-hit-solarwinds/

Security firm Malwarebytes said it was breached by the same
nation-state-sponsored hackers who compromised a dozen or more US
government agencies and private companies.

The attackers are best known for first hacking into Austin,
Texas-based SolarWinds, compromising its software-distribution system
and using it to infect the networks of customers who used SolarWinds’
network management software. In an online notice, however,
Malwarebytes said the attackers used a different vector.

“While Malwarebytes does not use SolarWinds, we, like many other
companies were recently targeted by the same threat actor,” the notice
stated. “We can confirm the existence of another intrusion vector that
works by abusing applications with privileged access to Microsoft
Office 365 and Azure environments.”

Investigators have determined that the attacker gained access to a
limited subset of internal company emails. So far, the investigators
have found no evidence of unauthorized access or compromise in any
Malwarebytes production environments.

The notice isn’t the first time investigators have said the SolarWinds
software supply chain attack wasn’t the sole means of infection.

When the mass compromise came to light last month, Microsoft said the
hackers also stole signing certificates that allowed them to
impersonate any of a target’s existing users and accounts through the
Security Assertion Markup Language. Typically abbreviated as SAML, the
XML-based language provides a way for identity providers to exchange
authentication and authorization data with service providers.

Twelve days ago, the Cybersecurity & Infrastructure Security Agency
said that the attackers may have obtained initial access by using
password guessing or password spraying or by exploiting administrative
or service credentials.

Mimecast

“In our particular instance, the threat actor added a self-signed
certificate with credentials to the service principal account,”
Malwarebytes researcher Marcin Kleczynski wrote. “From there, they can
authenticate using the key and make API calls to request emails via
MSGraph.”

Last week, email management provider Mimecast also said that hackers
compromised a digital certificate it issued and used it to target
select customers who use it to encrypt data they sent and received
through the company’s cloud-based service. While Mimecast didn’t say
the certificate compromise was related to the ongoing attack, the
similarities make it likely that the two attacks are related.

Because the attackers used their access to the SolarWinds network to
compromise the company’s software build system, Malwarebytes
researchers investigated the possibility that they too were being used
to infect their customers. So far, Malwarebytes said it has no
evidence of such an infection. The company has also inspected its
source code repositories for signs of malicious changes.

Malwarebytes said it first learned of the infection from Microsoft on
December 15, two days after the SolarWinds hack was first disclosed.
Microsoft identified the network compromise through suspicious
activity from a third-party application in Malwarebytes’ Microsoft
Office 365 tenant. The tactics, techniques, and procedures in the
Malwarebytes attack were similar in key ways to the threat actor
involved in the SolarWinds attacks.

Malwarebytes’ notice marks the fourth time a company has disclosed it
was targeted by the SolarWinds hackers. Microsoft and security firms
FireEye and CrowdStrike have also been targeted, although CrowdStrike
has said the attempt to infect its network was unsuccessful.
Government agencies reported to be affected include the Departments of
Defense, Justice, Treasury, Commerce, and Homeland Security as well as
the National Institutes of Health.