Skip to main content

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments

A nation state attack leveraging software from SolarWinds has caused a ripple effect throughout the security industry, impacting multiple organizations. We first reported on the event in our December 14 blog and notified our business customers using SolarWinds asking them to take precautionary measures.

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

How did this impact Malwarebytes?

We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.

We immediately activated our incident response group and engaged Microsoft's Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.

Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.

What we know: SolarWinds Attackers Also Target Administrative and Service Credentials

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals' credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Coming together as an industry

While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets. It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.

We would like to thank the security community, particularly FireEye, CrowdStrike, and Microsoft for sharing so many details regarding this attack. In an already difficult year, security practitioners and incident responders responded to the call of duty and worked throughout the holiday season, including our own dedicated employees. The security industry is full of exceptional people who are tirelessly defending others, and today it is strikingly evident just how essential our work is moving forward.

The post Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe . It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the challenge was Python, and its goal was to teach how the Python scripts can be packaged and integrated with native executables. The involved Python script was not obfuscated, and the user was supposed to adapt it for the purpose of finding the solution. The CrackMe was made of three components, cooperating with each other: a Python script (converted to EXE with the help of PyInstaller) a native DLL, loaded with the help of the above script a Python script unpacked by the DLL and injected into Actxproxy.dll In the first level, the user was supposed to find a valid PIN to decode a URL, from which the next level was downloaded. The next level was a native DLL that was inject...

Windows Driver Backup and Restore Guide and Software for All Versions

Computer is a collection of hardware and To work properly these hardware we need to install some drivers. Drivers may vary for different versions of operating systems. By default an operating system doesn't have all your computer drivers so we need to take driver backup from current OS for future use. Virus and Worms becomes more popular now to corrupt our computer or their software and that is another reason to always keep your computer driver backup to re-use them without any issue. Taking your driver backup can solve a lot of issue related to your computer. Windows Driver Backup and Restore Guide The method is very manageable and smooth, You will need to use a utility software that will create backup of all drivers in your Windows operating system and later you can restore them whenever you change your operating system, or some of your drivers get corrupted. So proceed with some simple steps below. Steps to Backup and Restore Drivers on Windows Using Double Driver Fi...

Malwarebytes CrackMe 2: try another challenge

Last November, we released the first edition of the  Malwarebytes CrackMe . Encouraged by the positive response we received from the security community, we decided to repeat the game, hopefully making it even more interesting and entertaining. As before, the CrackMe is dedicated to malware analysts and to those who want to practice becoming them. That's why it is not just a set of some abstract riddles, but an exercise that walks through selected tricks that were used in real malware. (Expect some original schemes designed just for this game, too.) Of course, all is demonstrated on harmless examples, but we still recommend you use VM for reversing it so that it will not interfere with any antivirus protection. Rules of the contest There are two CrackMe contests: Capture the flag.  The first three submitted flags win. The flag should be submitted along with (minimalistic) notes about the steps taken to find it. (No detailed write-up is required.) Best write-up . Th...