Malwarebytes confirmed it was targeted by SolarWinds hackers

Malwarebytes confirmed it was targeted by SolarWinds hackers

US cybersecurity firm Malwarebytes revealed it was targeted by the same threat actor who hacked IT software company SolarWinds last year.

Malwarebytes said the intrusion is not related to SolarWinds software but rather to another attack vector that involves abusing applications with privileged access to Microsoft Office 365 and Azure environments. An investigation into the incident revealed that the intruder only gained access to a limited subset of internal company emails, internal on-premises and production environments were not affected.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Malwarebytes CEO and co-founder Marcin Kleczynski said in a blog post.

The investigation showed that the hackers used a dormant email protection product within the company’s Office 365 tenant that allowed access to a limited subset of internal emails. The threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

“Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use,” Kleczynski added.

The threat actor behind the SolarWinds breach is tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), and is believed to be a Russian-backed Advanced Persistent Threat (APT) group.

FireEye’s investigation into its own breach last month revealed that the hackers had infected SolarWinds’s Orion software used by government agencies and private companies with malicious code, which allowed the attackers to further compromise computer networks.

SolarWinds estimates that as many as 18,000 of its customers may have received infected updates, though it is believed that the number of directly affected companies is much smaller.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025