Cybersecurity firm Malwarebytes on Tuesday revealed that it too was targeted by the hackers who breached the systems of Texas-based IT management company SolarWinds as part of a sophisticated supply chain attack.
Malwarebytes says it has not used any SolarWinds products, but its investigation revealed that the threat actor gained access to some of its systems by abusing applications with privileged access to Microsoft 365 and Azure environments.
“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments,” said Marcin Kleczynski, CEO and co-founder of Malwarebytes.
According to Kleczynski, his company discovered the breach after being notified by Microsoft on December 15 about suspicious activity possibly conducted by the SolarWinds hackers. An investigation conducted with assistance from Microsoft revealed that the attackers abused a dormant email protection product within the company’s Microsoft 365 tenant, which gave them access to “a limited subset of internal company emails.”
Malwarebytes does not use Azure in its production environment and a thorough analysis of its source code and build and delivery processes uncovered no evidence of compromise. “Our software remains safe to use,” Kleczynski said.
FireEye on Tuesday released a detailed white paper on the techniques and tactics used by the SolarWinds hackers to target Microsoft 365 environments. The paper offers remediation guidance to targeted organizations, hardening guidance for those not impacted, as well as detection guidance.
The cybersecurity firm also released an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with the SolarWinds hackers. Similar tools were also made available recently by CISA and CrowdStrike.
Earlier this month, email security company Mimecast revealed that a sophisticated threat actor had obtained a certificate provided to certain customers, and some have speculated that the incident may be related to the SolarWinds breach.
Cybersecurity researchers continue to analyze the tools and tactics used by the SolarWinds hackers. Symantec on Tuesday reported spotting yet another piece of malware used by the threat actor, namely a loader named Raindrop, which has been used for lateral movement and for deploying additional payloads.