Malwarebytes Hacked By State-Sponsored Hackers Who Breached SolarWinds

19/01/2021

Malwarebytes is an American internet security company that specializes in creating tools to protect computers, smartphones and clients from malware and other cyberthreats.

And this time, the company stated that it was hacked by the same hacker group who previously breached the IT software company SolarWinds.

However, Malwarebytes said that in its case, the intrusion was not related to the SolarWinds supply chain incident because the company doesn't use any of SolarWinds software in its internal network.

Malwarebytes knew about this hack after it was notified by Microsoft Security Response Center (MSRC) on December 15.

At that time, Microsoft was auditing its Office 365 and Azure infrastructures for signs of malicious apps created by the SolarWinds hackers, also known as UNC2452 or Dark Halo.

Once the breach was discovered, Malwarebytes worked with Microsoft’s Detection and Response Team (DART) to conduct an investigation to the its cloud and on-premises environments for any activity related to the API calls that triggered the initial alert.

The Malwarebytes headquarters in Santa Clara, California, U.S., taken on March 21, 2019.
The Malwarebytes headquarters in Santa Clara, California, U.S., taken on March 21, 2019. (Credit: Danny Chia)

And when scanning all Malwarebytes source code, build and delivery processes, as well as reverse engineering its own software to find any tampering. the team at Microsoft and Malwarebytes found that the hackers leveraged a dormant email protection product within Malwarebytes' Office 365 tenant that allowed access to a limited subset of internal company emails.

That although Malwarebytes does not use Azure cloud services in its production environments.

Malwarebytes said that that the alleged state-sponsored hackers breached its internal systems by exploiting an Azure Active Directory weakness and abusing malicious Office 365 apps.

According to an announcement by Malwarebytes co-founder and CEO Marcin Kleczynski in a blog post:

"After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments."

"Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use."

News of the hacking campaign started when the SolarWinds’ Orion network monitoring software was hacked, in which the hackers managed to gain access to computer systems belonging to multiple U.S. government departments.

The alleged hackers that are known collectively has APT29 or Cozy Bear, are known to be Russians, state-sponsored.

"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals," FireEye said.

The Cybersecurity and Infrastructure Security Agency said in a summary, that the threat "poses a grave risk to the federal government."

Microsoft President Brad Smith said that "this is not espionage as usual" and "while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy."

As for U.S. President-elect Joe Biden, he pledged to make cybersecurity a key area of focus for his administration.

"A good defense isn't enough; We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place," Biden said in a statement.

Previously, London-based email security firm Mimecast also fell for this SolarWinds-related attack.