20 January 2021

Malwarebytes confirmed it was targeted by SolarWinds hackers


Malwarebytes confirmed it was targeted by SolarWinds hackers

US cybersecurity firm Malwarebytes revealed it was targeted by the same threat actor who hacked IT software company SolarWinds last year.

Malwarebytes said the intrusion is not related to SolarWinds software but rather to another attack vector that involves abusing applications with privileged access to Microsoft Office 365 and Azure environments. An investigation into the incident revealed that the intruder only gained access to a limited subset of internal company emails, internal on-premises and production environments were not affected.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Malwarebytes CEO and co-founder Marcin Kleczynski said in a blog post.

The investigation showed that the hackers used a dormant email protection product within the company’s Office 365 tenant that allowed access to a limited subset of internal emails. The threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

“Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use,” Kleczynski added.

The threat actor behind the SolarWinds breach is tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), and is believed to be a Russian-backed Advanced Persistent Threat (APT) group.

FireEye’s investigation into its own breach last month revealed that the hackers had infected SolarWinds’s Orion software used by government agencies and private companies with malicious code, which allowed the attackers to further compromise computer networks.

SolarWinds estimates that as many as 18,000 of its customers may have received infected updates, though it is believed that the number of directly affected companies is much smaller.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024