Malwarebytes compromised by SolarWinds hackers
The US-based Cyber Security Firm Malwarebytes was compromised by SolarWinds Hackers. This news was disclosed on Tuesday in a publication by the co-founder and CEO of the company, Marcin Kleczynski.
The cybersecurity company said the same criminal group that is behind the SolarWinds attack has hacked their network and has managed to gain access to some of the company’s internal emails.
After big names such as Microsoft, FireEye, and CrowdStrike, Malwarebytes is yet another leading cybersecurity company that was hit by this group of cyber criminals.
According to the company, the hack on its system was not linked to the SolarWinds attack but is more likely a separate attack that operates through the abuse of Microsoft Office365 and Azure software.
The finding of the attack was disclosed on December 15th, when Microsoft informed Malwarebytes about irregular activities from a sleeping e-mail security app, inside its office 365 tenant. A careful investigation of the case was performed shortly after that.
Malwarebytes is not a user of the SolarWinds software products but, similarly to other cybersecurity software vendors, the company has recently been a target of the Solar Winds threat actor, Marcin Kleczynski reported in a post. According to him, its cybersecurity team has not detected indications of unauthorized access or compromise in any of the Malwarebytes production environments and internal on-premises which means that the company’s products are safe to use and have not been affected by the attack.
The massive spying operation, which seems to be stretching beyond SolarWinds Orion software is now suspected to be run by a hacking group codenamed US2452 (or Dark Halo) that is presumably from Russia.
At the beginning of January this year, the US-based Cybersecurity and Infrastructure Security Agency (CISA) announced that initial infection vectors that used faults other than those found in the SolarWinds Orion network were identified. These included password spraying, password guessing, and poorly protected administrative credentials accessible through external remote access services.
In a post on Reddit, Kleczynski explained that, most likely, Malwarebytes’s tenant has been breached using a TTP published in the CISA warning.
The cybersecurity company confirmed that the hackers attached an authenticated certificate to the main service account, which was then used to render an API call to request e-mails using Microsoft Graphs.
A thorough review of the attack has shown that that the attacker has only obtained access to a small subset of internal business email addresses. A more serious attack on the company’s network, however, would have had a serious impact on its operation and would have affected its customers globally.