As if our industry needed yet another demonstration of just how advanced the threat actor behind the SolarWinds attack really was, we now have evidence of yet another compromise from that same actor. This time it’s with a company I personally like: Malwarebytes. The company reported in a recent blog post that they had suffered a security breach recently involving their Microsoft Office 365 tenant and Azure environments. According to the post, the in mid-December Microsoft Security Response Center informed Malwarebytes of suspicious activity originating from a third-party app installed in their Microsoft Office 365 tenant. The activity was consistent with the tactics, techniques, and procedures of those discovered after the SolarWinds compromise back in December. Malwarebytes involved Microsoft’s Detection and Response Team (DART) and began to investigate the activity immediately. Their investigations found that the attackers had leveraged a “dormant email protection product,” which then granted the attackers access to a subset of internal company emails.
It seems the attackers may have gained access to the application within the Microsoft Office 365 tenant by potentially abusing a known flaw in Office 365, or by using password spraying techniques (or simply guessing a password to an account with sufficient privileges). At the time of this show, initial entry methods were not confirmed. However the attackers gained access, they made themselves at home by then adding a self-signed certificate by using the credentials of the service principal account. They then began authenticating to the account using a key and started making API calls to request emails via the MSGraph service. It’s this last step that led to their being caught. The company was also quick to point out that they did not use their Azure environment as their production environment.
Given that the SolarWinds attack was a supply chain attack, Malwarebytes states that they immediately started doing code reviews of their products. They also checked build and delivery processes and even went as far as to reverse engineer their own software to check previous builds. The company maintains that they found absolutely no evidence of unauthorized access to any on-premises or production environments, and fully believes their software remains safe to use. Given the scope of the known attack, I’m likely to agree with that assessment. Just remember, Engineers: trust, but verify.
Near the end of the post they did mention that many other organizations can help avoid this fate by using a tool from CrowdStrike called the CrowdStrike Reporting Tool for Azure (CRT) that helps companies identify risks in their Azure Active Directory environment and mitigate them. Engineers can also use the Cybersecurity and Infrastructure Security Agency’s Sparrow PowerShell script to hunt for evil in Microsoft Azure and Microsoft Office 365 environments.
From the looks of things, I believe we will see more findings in the coming months from different companies that learn they’re compromised. Like we have always said in this industry: it is not a matter of if, but when.