Thursday, May 26, 2022

Malwarebytes hit by same group that compromised SolarWinds

Malwarebytes has become the latest technology provider to admit it was hit by the same threat actor that compromised SolarWinds.

Although the cybersecurity vendor doesn’t use the SolarWinds Orion network management software that was infected with a backdoor, Malwarebytes CEO Marcin Kleczynski said the same attacker — dubbed UNC2452 by FireEye — got into its Microsoft cloud applications.

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” the Jan. 19 statement said. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

On Tuesday, FireEye issued a detailed white paper outlining how UNC2452 exploits Microsoft 365. Other victims of this group to varying degrees include Cisco Systems and FireEye.

Kleczynski said Microsoft’s Security Response Center tipped off Malwarebytes on Dec. 15 about suspicious activity from a third-party application in its Office 365 environment with the tactics, techniques and procedures of the same advanced threat actor involved in the SolarWinds attacks.

Creeping into Office 365

An investigation showed the attackers leveraged what Kleczynski said was a “dormant email protection product within our Office 365 tenant” that allowed access to a limited subset of internal company emails. The company doesn’t use Azure cloud services in production environments.

However, the statement noted that as far back as 2019, flaws were identified in Azure Active Directory. Access privileges could be escalated by assigning credentials to applications, leading to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph. The statement also noted U.S. government researchers discovered that UNC2552 used password guessing and spraying techniques to gain access to some victims.

“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account,” Klecanski said. “From there, they can authenticate using the key and make API calls to request emails via ‘MSGraph.’

CrowdStrike has released a tool to help organizations identify and mitigate risks in Azure Active Directory.

All Malwarebytes source code, build and delivery processes have been investigated and cleared. “Our software remains safe to use,” Kleczyski said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.