US cybersecurity firm Malwarebytes recently joined the ever-expanding list of security companies that have been attacked by Dark Halo, the same group that targeted SolarWind in 2020. FireEye, Microsoft, and CrowdStrike are also on the list.
Malwarebytes disclosed the incident in an emailed statement, where it confirmed that the intrusion was carried out by “the same threat actor” that attacked Texas-based company, Solarwind – a conclusion is reached based on the techniques tactics and procedures used.
However, the security firm was keen to disclose that the attack is not directly related to the SolarWinds supply incident since the company doesn’t use any of the SolarWinds software in its internal network.
Instead, the hackers exploited a weakness in the Azure Active Directory and a dormant email protection product within its Office 365 applications to breach the company’s internal systems.
Malwarebytes was informed of the breach on December 15, 2020, by the Microsoft Security Response Center (MSRC) which detected suspicious activity from the dormant Office 365 security software.
Microsoft was able to discover the activity because at the time it is was auditing its Office 365 and Azure systems for signs of malicious apps built by the SolarWinds hackers, also known in cyber-security space as UNC2452.
Once Malwarebytes learned of the breach it immediately swung into action and began an extensive internal investigation to determine what hackers accessed.
According to Marcin Kleczynski, Malwarebytes’ co-founder and current CEO “A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials,”
“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGrap,,” they added
In other words, they determined the attacker only gained access to a limited subset of internal company emails.
Malwarebytes Products Are Not Affected
Since the previous attack by the same actor involved poisoning Solarwind’s software by injecting the Sunburst malware into some updates for the Solarwind Orion app, Malwarebytes also performed a very thorough audit of all its products and their source code, searching for any signs of a related compromise.
Fortunately for the security company, no such compromise was detected.
“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments, our software remains safe to use,” said Kleczynski.
In an online statement, a Malwarebytes spokeswoman said, “While we were fortunate to experience a limited impact on our business, this scenario underscores the need for the industry to continue to collaborate in efforts to prevent increasingly complex nation-state attacks.”
Malwarebytes’ notice marks the fourth time a major security provider has disclosed it was targeted by the UNC2452/Dark Halo threat actor – a group the US officials have linked to a Russian government cyber-espionage operation. Unfortunately, FireEye and Microsoft were not as lucky as Malwarebytes as reports suggest that Dark Halo’s attacks on these companies were successful. Besides, security vendors, these cyber attackers also target government agencies.
Departments of Defense, Justice, Treasury, Commerce, and Homeland Security and the National Institutes of Health are all agencies reported to have been affected.