- Malwarebytes was the target of a cyberattack which abused applications with privileged access in Microsoft Office 365 and Azure to attack users, Marcin Kleczynski, co-founder and CEO said in a blogpost Tuesday. The company blamed the same threat actors suspected in the SolarWinds attack, though Kleczynski noted Malwarebytes does not use SolarWinds technology.
- The attackers gained access to a limited subset of internal company emails, the company said. There was no evidence that internal on-premises or production environments were compromised.
- "While we have learned a lot of information in a short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets," Kleczynski said. He added that it was "imperative" that security companies continue to share information in light of such complex nation-state attacks.
CISA previously alerted the industry about additional vectors beyond SolarWinds, and on Jan. 8 issued an alert warning about post-compromise advanced persistent threat activity in the cloud environment that involved the victim's Microsoft 365/Azure environment. A CISA spokesperson referenced the alert to Cybersecurity Dive Tuesday following a query about the Malwarebytes attack.
The Microsoft Security Response Center notified Malwarebytes on Dec. 15 about suspicious activity involving its Microsoft 365 tenant that was consistent with the same tactics, techniques and procedures used by the SolarWinds attacker, Kleczynski said in the Malwarebytes blog.
Microsoft and Malwarebytes investigated the incident and found the attackers exploited a weakness in the Azure Active Directory that allowed access to a limited number of internal emails.
"Our ongoing investigation of recent attacks has found this advanced and sophisticated threat actor had several techniques in their toolkit," Jeff Jones, senior director at Microsoft told Cybersecurity Dive in a statement. "We have not identified any vulnerabilities in our products or cloud services."
Microsoft added that once an attacker has compromised a larger network, they may have access to a range of systems, and said it is frequently updating its guidance to customers and partners.
Security researchers discovered in 2019 that a flaw in Azure Active Directory could allow an attacker to escalate privileges, according to Mimecast. By September 2019, the same researcher found the vulnerability still existed, allowing access to credentials in Microsoft Graph and Azure AD Graph.
Last week Mimecast disclosed an attack that used Microsoft to compromise the email security provider. In that attack, the threat actor compromised a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor and IEP Products to Microsoft 365 Exchange Services.
Reuters and the Wall Street Journal previously reported that the Mimecast hack could involve the same hackers that targeted SolarWinds, but Mimecast did not confirm those reports and claimed some of the coverage of their incident was "speculative."