The hackers behind the SolarWinds breach also infiltrated Malwarebytes, but they only managed to gain access to some internal emails, according to the antivirus provider’s investigation.
The intrusion didn’t occur through SolarWind’s IT software, which Malwarebytes doesn’t use. Instead, the attackers exploited the company’s accounts with Microsoft Azure.
“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” Malwarebytes said in a blog post on Tuesday.
Specifically, the hackers broke in via Microsoft’s Azure Active Directory, which companies can use to secure employees’ access to corporate IT systems. On Dec. 15—the day after the SolarWinds hack became public—Microsoft told the antivirus provider it had noticed suspicious activity coming from a third-party application within Malwarebytes’ Office 365 system.
“The investigation indicates the attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails,” Malwarebytes said. The tactics and techniques used during the intrusion were also consistent with the SolarWinds breach.
Fortunately, Malwarebytes never hooked up Microsoft’s Azure clouds service with Malwarebytes’ antivirus production environments. Nevertheless, the security firm embarked on a full investigation to find any signs of possible tampering across the company’s systems, including within product source code and software delivery processes.
“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments,” Malwarebytes said. “Our software remains safe to use.”
A successful hack of Malwarebytes’ antivirus products would be disastrous for users across the globe. The company is a trusted name in IT security, and says it protects more than 60,000 businesses in addition to millions of consumers.
Malwarebytes’ investigation discovered the hackers leveraged a known weakness in Azure Active Directory that security researcher Dirk-jan Mollema reported in 2019. If you compromise an “Application Admin account” or “On-Premise Sync Account” with the service, you can gain additional privileges to a client’s Microsoft 365 applications, paving the way for backdoor access into a victim’s corporate IT systems.
“The escalation is still possible since this behavior is considered to be ‘by-design’ and thus remains a risk,” Mollema wrote in September 2019.
Malwarebytes also points out the hackers may have gained access to its application admin accounts via password guessing. Once achieved, the attackers could then begin escalating the account privileges. “In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph (Microsoft Graph),” the company added.
The intrusion at Malwarebytes underscores how the SolarWinds hackers were likely using a variety of vulnerabilities to spy on their victims, which include numerous US government agencies. “There is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” Malwarebytes added.
According to US intelligence, the culprits behind the SolarWinds breach are likely hackers working from Russia. The Kremlin has repeatedly denied any involvement.
So far, Microsoft hasn’t commented on the hack at Malwarebytes and whether it’ll patch the weakness in Azure Active Directory. We’ll update the story if we hear back.