SolarWinds Hackers Hit Malwarebytes, But Impact Limited to Internal Email

SolarWinds hackers have also targeted Malwarebytes, which became the fourth major cybersecurity firm to be attacked by this group.

Marcin Kleczynski, Malwarebytes‘ CEO and co-founder, disclosed the breach. Microsoft, FireEye and CrowdStrike also were targeted by the SolarWinds hackers. CrowdStrike fended off the attackers.

Malwarebytes’ Marcin Kleczynski

“While Malwarebytes does not use SolarWinds, we, like many other companies, were recently targeted by the same threat actor,” Kleczynski said. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

No Impact to Malwarebytes Partners

A Malwarebytes spokesperson said the breach had no impact on the company’s partners.

“We received information from the Microsoft Security Response Center on Dec. 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Kleczynski said. “We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes’ software remains safe to use, he said.

More to Uncover

Randy Watkins is CriticalStart‘s CTO.

Critical Start’s Randy Watkins

“From the report, Malwarebytes took appropriate and timely action after being notified of potentially malicious activity,” he said. “This attack validates what many inside the community have been saying since the discovery of the SolarWinds breach. We’re just starting to uncover the true scope. Cybersecurity providers, including ourselves, have begun to reassess their internal security measures to ensure the ability to quickly detect and respond to malicious behavior.”

Piyush Pandey is CEO at Appsian. He said abusing privileged access into a business application is an extremely common way to attack.

Appsian’s Piyush Pandey

“Many organizations leverage Microsoft Office 365 and Azure Active Directory,” he said. “And if an attacker identifies a vulnerability, the volume of attacks is likely to ramp up dramatically. This is why we recommend taking a defense-in-depth approach to securing business application data. This would include dynamic authorization to ensure privileged access could not be granted from a hostile country, reauthenticating users if they request access to sensitive data, applying data masking as much as possible at the UI level, and having granular visibility into data access and usage.”

Unfortunately, legacy business applications can’t do this out of the box, Pandey said. Therefore, organizations need supplemental solutions.

“IT and security leaders must take a hard look at their business applications and research a defense-in-depth strategy,” he said. “Otherwise, a data breach or data compromise is inevitable.”