{"id":41717,"date":"2021-01-20T15:08:45","date_gmt":"2021-01-20T15:08:45","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=2958c01af1beed0bd016628443c99404"},"modified":"2021-01-20T15:08:45","modified_gmt":"2021-01-20T15:08:45","slug":"solarwinds-hackers-hit-malwarebytes-through-microsoft-exploit","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/solarwinds-hackers-hit-malwarebytes-through-microsoft-exploit\/","title":{"rendered":"SolarWinds hackers hit Malwarebytes through Microsoft exploit"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
20 Jan, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Malwarebytes has said that the same state-backed cyber gang that attacked SolarWinds<\/a> in December was able to access internal emails by using an exploit in Microsoft 365.<\/p>\n

The hackers gained limited access to internal Malwarebytes emails, according to CEO Marcin Kleczynski<\/a>, by abusing applications with privileged access to Microsoft 365 and Azure environments.<\/p>\n

\u200b<\/span><\/p>\n

The security firm first became aware of the threat after the Microsoft Security Response Centre (MSRC) discovered unusual activity in a third-party application sat inside the Microsoft 365 suite. Microsoft had been\u00a0examining its Office 365 and Azure systems for signs of compromise at the time, while details of the SolarWinds attack were also\u00a0beginning to emerge<\/a>.<\/p>\n

The attackers demonstrated similar techniques and procedures to those used in the SolarWinds compromise. In this case, however, they abused a dormant email protection product within the firm\u2019s Office 365 tenant. This granted the attackers access to a limited subset of internal emails.<\/p>\n

The attackers, however, failed to access or compromise Malwarebytes\u2019 source code, and the company has declared that its products were safe to use at all times.<\/p>\n

\u201cWhile Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,\u201d Kleczynski said.<\/p>\n

\u201cAfter an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.\u201d<\/p>\n

The specific exploit mechanism is based on an Azure Active Directory flaw uncovered in 2019, which Fox-IT researcher Dirk-jan Mollema demonstrated<\/a> could be exploited to escalate privileges by assigning credentials to applications.<\/p>\n

An early January report<\/a> published by the US Cybersecurity and Infrastructure Security Agency (CISA) also revealed how attackers may have obtained access to\u00a0Microsoft 365 apps by password spraying, in addition to exploiting administrative credentials.<\/p>\n

In the Malwarebytes attack, the hackers added a self-signed certificate with credentials to the service principal account. From there, they were able to authenticate using the key and make API calls to request emails through MSGraph.<\/p>\n

The SolarWinds breach was certainly one of the most significant security incidents<\/a> of last year and carries wide-reaching implications for the industry. Since the turn of the year, it\u2019s been revealed that the attackers accessed Microsoft source code in the breach<\/a>, and had even first breached SolarWinds\u2019 systems<\/a> as far back as September 2019.<\/p>\n

\u200b<\/span> <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

20 Jan, 2021 <\/p>\n

Malwarebytes has said that the same state-backed cyber gang that attacked SolarWinds in December was able to access internal emails by using an exploit in Microsoft 365.
\nThe hackers gaine…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41717","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41717"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41717\/revisions"}],"predecessor-version":[{"id":41718,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41717\/revisions\/41718"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}