The security firm Malwarebytes said it was being violated by the same nation-state-backed hackers who were endangering a dozen or more U.S. government agencies and private companies.
The attackers are best known for first launching SolarWinds-based Austin, Texas, compromising its software distribution system and infecting the networks of customers using SolarWinds’ network management software. However, in an online notice, Malwarebytes said the attackers were using a different vector.
“Although Malwarebytes does not use SolarWinds, we, like many other companies, have recently been targeted by the same threat actor,” the notice reads. “We can confirm the existence of another hacking vector that works by abusing applications with real access to Microsoft Office 365 and Azure environments.”
Investigators determined that the attacker had gained access to a limited subset of internal company emails. To date, investigators have found no evidence of unauthorized access or compromise in any Malwarebytes production environment.
The notice is not the first time investigators have said the SolarWinds software’s attack chain attack was not the only way of infection.
When the mass compromise came to light last month, Microsoft said that the hackers also stole signature certificates that enabled them to present themselves as one of the existing users and accounts of a target through the Security Assertion Markup Language. The XML-based language is usually abbreviated as SAML and provides identity providers with a way to exchange authentication and authorization data with service providers.
Twelve days ago, the Cybersecurity & Infrastructure Security Agency said the attackers may have gained initial access by using password twisting or using passwords or by using administrative or service credentials.
Mimecast
“In our particular case, the threat actor added a self-signed certificate with credentials to the service chief account,” Malwarebytes researcher Marcin Kleczynski wrote. “From there, they can verify with the key and make API calls to request email via MSGraph.”
Last week, email management provider Mimecast also said that hackers were compromising a digital certificate it issued and using it to use certain customers who use it to encrypt data they have sent and received via the company’s cloud-based service. Although Mimecast did not say that the certificate compromise was related to the ongoing attack, the agreements make it likely that the two attacks are related.
Because the attackers used their access to the SolarWinds network to compromise the company’s software setup system, Malwarebytes researchers investigated the possibility that they could also be used to infect their customers. So far, Malwarebytes has said it has no evidence of such an infection. The company also investigated its source code repositories for signs of malicious changes.
Malwarebytes said it first learned of the infection from Microsoft on December 15, two days after the SolarWinds hood was first announced. Microsoft has identified the network compromise by suspicious activity of a third-party application in Microsoft Office 365 Malwarebytes Tenant. The tactics, techniques and procedures in the Malwarebytes attack were in key ways similar to the threat actor involved in the SolarWinds attacks.
Malwarebytes’ announcement is the fourth time a company has announced that it has been targeted by SolarWinds hackers. Microsoft and security firms FireEye and CrowdStrike were also targeted, although CrowdStrike said the attempt to infect its network was unsuccessful. Government agencies reported to be affected include the Departments of Defense, Justice, Treasury, Commerce and Homeland Security, as well as the National Institutes of Health.