SolarWinds Hacking Group Hits Malwarebytes
The SolarWinds hacking group's newest victim is Malwarebytes. What was unique is that Malwarebytes wasn't targeted through the SolarWinds platform. Instead of using the SolarWinds Orion network-management system, the advanced persistent threat ( APT ) leveraged applications with privileged access to Microsoft Office 365 and Azure environments specifically, an email-protection application.
The Microsoft Security Response Center flagged suspicious activity from a third party email security application used with Malwarebytes' Office 365 service in December. The activity was found in the application's API calls. A recently released CISA report revealed how hackers may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In this instance, the hackers added a self-signed certificate with credentials to the main account. From there, they authenticated using the key and make API calls to request emails via MSGraph.
The tactics, techniques and procedures are consistent with those used by the SolarWinds group. After a thorough investigation of all Malwarebytes source code, build and delivery processes, there were no evidence of unauthorized access or compromise according to Malwarebytes.
SolarWinds attacks have affected several U.S. government agencies, tech companies like Microsoft and many others. The attacks began with a malicious software update that delivered the Sunburst backdoor to around 18,000 organizations. After that hackers select specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in December.