Malwarebytes was attacked by the same group that assaulted SolarWinds (It is suspected of UNC2452 or Dark Halo which is related to the Russian intelligence service), as explained by the security firm in a post on your blog.
The SolarWinds case was the worst cybersecurity incident of 2020 and Malwarebytes joins a ever-expanding list of affected companies, such as Microsoft, FireEye, Cisco, Intel, VMare or NVIDIA, and others that have not been made public, but that are believed to exist since the compromised SolarWinds software was used by a good part of the Fortune 500 list, telecommunications providers and various agencies in the United States.
Malwarebytes explains that it does not use SolarWinds solutions, but it was attacked through another intrusion vector that took advantage of the applications they had Privileged access to Microsoft Office 365 and Azure. According to the security firm, the attackers they managed to access “A limited subset of internal company emails”.
The attack was discovered after Microsoft notified Malwarebytes of suspicious activity in an inactive email protection application within the Office 365 suite. Cybercriminals added a self-signed certificate with credentials to the main service account and then used it to perform API calls and reaching emails through Microsoft Graph.
Malwarebytes is safe
The CEO of the security firm said a full internal investigation had been conducted to determine how far the assailants were introduced. They also made a comprehensive audit of all your products and their source code, including reverse engineering, looking for signs of “supply chain attacks,” used to compromise SolarWinds software.
The investigation found no sign of unauthorized access or compromise, other than access to the aforementioned subset of corporate internal emails exploiting a weakness of Azure Active Directory. This, together with the fact that none of its internal systems were compromised, has led the company to declare that your software is still safe to use.
However, the case of Malwarebytes reveals a new malware attack vector wide-ranging campaign and raises affected cybersecurity firms to four.
In related information, FireEye has published an audit script called Azure AD Investigator, which he says can help companies search their Microsoft 365 tenants for indicators of some of the techniques used by SolarWinds hackers.
