US cybersecurity firm Malwarebytes revealed it was targeted by the same threat actor who hacked IT software company SolarWinds last year.
Malwarebytes said the intrusion is not related to SolarWinds software but rather to another attack vector that involves abusing applications with privileged access to Microsoft Office 365 and Azure environments. An investigation into the incident revealed that the intruder only gained access to a limited subset of internal company emails, internal on-premises and production environments were not affected.
“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Malwarebytes CEO and co-founder Marcin Kleczynski said in a blog post.
The investigation showed that the hackers used a dormant email protection product within the company’s Office 365 tenant that allowed access to a limited subset of internal emails. The threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.
“Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use,” Kleczynski added.
The threat actor behind the SolarWinds breach is tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), and is believed to be a Russian-backed Advanced Persistent Threat (APT) group.
FireEye’s investigation into its own breach last month revealed that the hackers had infected SolarWinds’s Orion software used by government agencies and private companies with malicious code, which allowed the attackers to further compromise computer networks.
SolarWinds estimates that as many as 18,000 of its customers may have received infected updates, though it is believed that the number of directly affected companies is much smaller.