Malwarebytes CEO: Firm Targeted by SolarWinds HackersThreat Actors Accessed 'Limited Subset of Internal Company Emails'
The CEO of security firm Malwarebytes says the hackers who attacked SolarWinds also targeted his company and gained access to a "limited subset of internal company emails."
"While Malwarebytes does not use SolarWinds [hacked software], we, like many other companies, were recently targeted by the same threat actor,” Malwarebytes CEO Marcin Kleczynski notes in a blog. The hackers appear to have exploited a dormant email protection tool within the company's Office 365 system to gain access to a subset of the firm's emails, he says.
Malwarebytes was notified about the intrusion on Dec. 15, 2020, by the Microsoft Security Response Center. This was about the same time Microsoft notified security firm CrowdStrike of similar suspicious activity. The attempted intrusion against Crowdstrike was ultimately unsuccessful (see: Microsoft Warned CrowdStrike of Possible Hacking Attempt).
And while the hacking group responsible for the SolarWinds hack managed to plant a malicious backdoor in the company's Orion network monitoring platform, the Cybersecurity and Infrastructure Security Agency has warned that the hackers used other attack vectors to target additional networks.
Kleczynski notes that once Microsoft notified Malwarebytes about the incident, the company started an investigation to determine the extent of the intrusion and to ensure its security products had not been compromised by malware planted by the hacking group.
"Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software," Kleczynski says. "Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use."
The SolarWinds hack was discovered by security firm FireEye on Dec. 13, 2020, when the company found its penetration tools had been stolen.
Although about 18,000 organizations downloaded the infected SolarWinds Orion software, only a few hundred, including government agencies and technology firms, apparently were targeted for follow-on attacks.
U.S. intelligence agencies say the attack appears to be a Russian-backed espionage operation.
Microsoft announced in December 2020 that it had found malicious binaries that came from the SolarWinds attack within its infrastructure and had notified about 40 of its customers that they were likely targeted by the hackers (see: Microsoft Finds Backdoor; CISA Warns of New Attack Vectors).
After Microsoft alerted customers and Malwarebytes began its internal investigation, the company found the dormant email protection tool that the hackers had exploited, according to Tuesday's blog post.
"Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert," Kleczynski says. "The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails."
Kleczynski notes that his firm does not use the Microsoft Azure cloud platform within its production environment.
Office 365 Targeted
On Tuesday, FireEye released a report describing how the SolarWinds hackers used certain tactics and techniques to gain initial access and then move into the Office 365 environments to gain access to emails and internal calendars.
The security firm also released a free tool to help organizations determine if these techniques were used against their infrastructure (see: Free Auditing Tool Helps Detect SolarWinds Hackers' Malware).