Security firm Malwarebytes said it was created by the same country-state-sponsored hackers who compromised a dozen or more US government agencies and private companies.
The attackers are previously known for hacking at SolarWinds, based in Austin, Texas, who compromise their software-delivery system and use it to infect a network of customers who used SolarWinds network management software . In an online notice, however, Malwarebytes stated that the attackers used a different vector.
The notice stated, “While Malwarebytes does not use SolarWinds, we, like many other companies, recently targeted the same threat actor.” “We can confirm the existence of another intrusion vector that works by misusing applications with privileged usage in Microsoft Office 365 and Azure environments.”
Investigators have determined that the attacker gained access to a limited subgroup of internal company emails. So far, investigators have not found any evidence of unauthorized access or compromise to any Malwarebytes production environment.
For the first time in the notice, investigators have stated that SolarWinds’ software supply chain attack was not the only means of infection.
When the massive agreement was reached last month, Microsoft said that hackers also stole signature certificates that allowed them to attach existing users and accounts to any target through the security assertion markup language. Commonly abbreviated as SAML, XML-based language provides a way for identity providers to exchange authentication and authorization data with service providers.
Twelve days ago, the Cyberspace and Infrastructure Security Agency stated that attackers may have gained early access by guessing passwords or spraying passwords or using administrative or service credentials.
“In our particular example, the threatening actor added a self-signed certificate with credentials to the service principal account,” wrote Malwarebytes researcher Marcin Kleksenski. “From there, they can authenticate using keys and make API calls to request email via MSGraph.”
Last week, email management provider Mimecast also said that hackers compromised the digital certificate it issued and used it to target select customers who had sent it through the company’s cloud-based service And to encrypt the received data. Although Mimecast did not say that the certificate agreement was related to the ongoing attack, the similarities make it likely that the two attacks are related.
Because the attackers used their access to the SolarWinds network to compromise the company’s software build system, Malwarebytes researchers investigated the possibility that they too were being used to infect their customers. So far, Malwarebytes stated that there is no evidence of such infection. The company has also inspected its source code repository to indicate malicious changes.
Malwarebytes said that it first detected an infection from Microsoft on December 15, two days after the SolarWinds hack was revealed. Microsoft identified network compromise through suspicious activity from a third-party application in Malwarebytes Microsoft Office 365 tenant. The tactics, techniques, and procedures in the Malwarebyte attack were similar to the critical methods for the threat actor involved in solar winds attacks.
This is the fourth time in a Malwarebytes notice disclosed by a company that it was targeted by SolarWind hackers. Microsoft and security firms FireEye and CrowdStrike have also been targeted, although CrowdStrike said attempts to infect its network were unsuccessful. Government agencies affected include the Departments of Defense, Justice, Treasury, Commerce, and Homeland Security as well as the National Institutes of Health.