Security firm Malwarebytes said it had been breached by the same state-sponsored hackers who had compromised a dozen or more US government agencies and private companies.
The attackers are best known for hacking into SolarWinds of Austin, Texas, by compromising its software distribution system and using it to infect the networks of customers using SolarWinds’ network management software. However, in an online post, Malwarebytes said the attackers were using a different vector.
“While Malwarebytes does not use SolarWinds, we, like many other companies, were recently targeted by the same threat actor,” the post reads. “We can confirm the existence of another intrusion vector that works by exploiting applications with privileged access to Microsoft Office 365 and Azure environments.”
Investigators determined that the attacker gained access to a limited subset of internal company emails. So far, the researchers have found no evidence of unauthorized access or compromise in Malwarebytes production environments.
The report isn’t the first time researchers have said the attack on the SolarWinds software supply chain wasn’t the only means of infection.
When the massive compromise came to light last month, Microsoft said the hackers had also stolen signing certificates that would allow them to impersonate a target’s existing users and accounts via its Security Assertion Markup Language. The XML-based language, commonly abbreviated as SAML, provides identity providers with a way to exchange authentication and authorization information with service providers.
Twelve days ago, the Cybersecurity & Infrastructure Security Agency said the attackers may have gained initial access by guessing or spraying passwords, or misusing administrator or service credentials.
“In our particular case, the threat actor added a self-signed certificate with credentials to the service principal account,” wrote Malwarebytes researcher Marcin Kleczynski. “From there, they can authenticate using the key and make API calls to query emails via MSGraph.”
Last week, email management provider Mimecast also said hackers compromised a digital certificate it issued and used it to target select customers who are using it to encrypt data they sent and received through the company’s cloud service. While Mimecast didn’t say the certificate compromise was related to the ongoing attack, the similarities make it likely that the two attacks are related.
Because the attackers used their access to the SolarWinds network to compromise the company’s software build system, Malwarebytes researchers investigated the possibility that they too were being used to infect their customers. So far, Malwarebytes said it has no evidence of such an infection. The company has also inspected its source code repositories for signs of malicious changes.
Malwarebytes said it first learned of the infection from Microsoft on December 15, two days after the SolarWinds hack was first revealed. Microsoft identified the network compromise due to suspicious activity of a third-party application in Malwarebytes’ Microsoft Office 365 tenant. The tactics, techniques, and procedures in the Malwarebytes attack were similar in important ways to the threat actor involved in the SolarWinds attacks.
The Malwarebytes report marks the fourth time a company has disclosed that it was targeted by the SolarWinds hackers. Microsoft and security firms FireEye and CrowdStrike have also been targeted, although CrowdStrike has said the attempt to infect its network was unsuccessful. Government agencies reportedly affected include the Departments of Defense, Justice, Finance, Commerce and Homeland Security, as well as the National Institutes of Health.