Recently, various organizations in the security industry, have come under attack by a nation-state actor leveraging SolarWinds software. On December 14, 2020, Malwarebytes reported the event and informed its business customers using SolarWinds to take precautionary measures.
However, a new intrusion vector has been introduced by the same actor which works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. This was confirmed by the security firm, Malwarebytes who was recently targeted using the new vector.
Fortunately, after an extensive investigation, they discovered that the attacker only gained access to a limited subset of internal company emails and there was no evidence to indicate unauthorized access or compromise of production environments.
How did this impact Malwarebytes?
On December 15, the Microsoft Security Response Center notified Malwarebytes of suspicious activity from a third-party application in the firm’s Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTP) of the same advanced threat actor involved in the SolarWinds attacks, which occurred two days earlier.
In response, Malwarebytes and Microsoft’s Detection and Response Team (DART). Together, performed an extensive investigation of both their cloud and on-premises environments for any activity related to the API calls that prompted the initial alert. The findings of the investigation showed that attackers leveraged a dormant email protection product within Malwarebytes’ Office 365 app that allowed access to a limited subset of internal company emails.
The supply chain nature of the SolarWinds attack prompted the cybersecurity providers to conduct a thorough investigation of all Malwarebytes source code, build and delivery processes, including software reverse engineering. No evidence of unauthorized access or compromise in any on-premises and production environments was discovered, rendering the company’s software safe to use.
What we know: SolarWinds Attackers Also Target Administrative and Service Credentials
First, we know that the attackers did not only rely on the SolarWinds supply-chain attack but also leveraged additional means to compromise high-value targets by exploiting administrative or service credentials as highlighted As the US Cybersecurity and Infrastructure Security Agency (CISA).
Also, Azure Active Directory has a major vulnerability that essentially leads to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph and third-party applications can be compromised if an attacker with sufficient administrative privilege gains access to a tenant.
In Malwarebytes’ case, the threat actor included a self-signed certificate with credentials to the service principal account. Which they can authenticate using the key and make API calls to request emails via MSGraph.
Securing Azure tenants is a challenging task for many organizations, particularly when dealing with third-party applications or resellers. This is why CrowdStrike introduced a tool to help companies identify and mitigate risks in Azure Active Directory.
Coming together as an industry
According to Malwarebytes, much about nation-state actors has been learnt in a relatively short time, but there is more yet to be discovered about this long and active campaign that has disrupted the activities of multiple high-profile targets. It is therefore crucial that security providers continue to share information that can help the security industry in times like these, especially with the surge of new and complex attacks.