The state-backed group implicated in the SolarWinds Solorigate/Sunburst attack also hit Malwarebytes during its December 2020 cyber crime spree, accessing its systems by abusing privileged access to the firm’s Microsoft Office and Azure environments.
The group, which has been dubbed UNC2452, also turned over FireEye – the initial incident that led investigators to the SolarWinds compromise – and a number of other tech firms, however, its compromise of Malwarebytes was not carried out via SolarWinds, as the two firms do not have a relationship.
In a message disclosing the incident, Malwarebytes CEO Marcin Kleczynski said that there was no doubt the company was attacked by the same gang.
“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he wrote.
“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorised access or compromise in any of our internal on-premises and production environments.”
Malwarebytes first learned of suspicious activity, consistent with the tactics, techniques and procedures (TTPs) of UNC2452, from a third-party application within its Microsoft Office 365 tenant from Microsoft’s Security Response Centre on 15 December 2020.
At that point, it activated its own incident response procedures and engaged assistance from Microsoft to investigate its cloud and on-premise environments for activity related to the application programming interface (API) calls that triggered the alert.
The investigators found UNC2452 exploited a dormant email protection product within its Office 365 tenant that gave it access to a “limited subset” of internal emails – note that it does not use Azure cloud services in its production environments.
UNC2452 is known to use additional means besides Solorigate/Sunburst to compromise high-value targets leveraging admin or service credentials. In this case, a flaw in Azure Active Directory first exposed in 2019, which allows one to escalate privileges by assigning credentials to applications, giving backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph. If the attacker has sufficient admin rights, they can then gain access to a tenant.
In Malwarebytes’ case, it appears the group obtained initial access by password guessing or spraying in addition to exploiting admin or service credentials. They also added a self-signed certificate with credentials to the service principal account, and from there authenticated using the key and made API calls to request emails via MSGraph.
Kleczynski said that considering the supply chain nature of the SolarWinds attack, and out of caution, it also combed through its own source code, build and delivery process, and reverse engineered its own software, but found no evidence that the group had accessed or compromised it in any customer environments, either cloud-based or on-premises.
“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” wrote Kleczynski.
“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.
“We would like to thank the security community – particularly FireEye, CrowdStrike, and Microsoft – for sharing so many details regarding this attack. In an already difficult year, security practitioners and incident responders responded to the call of duty and worked throughout the holiday season, including our own dedicated employees.
“The security industry is full of exceptional people who are tirelessly defending others, and today it is strikingly evident just how essential our work is moving forward.”
Meanwhile, FireEye has released additional information on UNC2452’s TTPs with regard to the group’s exploitation of Office 365 tenants, and a new whitepaper detailing remediation and hardening strategies, which customers can download here.
Its Mandiant threat detection unit has also released an auditing script, Azure AD Investigator, which can be downloaded from its GitHub repository to let Office 365 users examine their tenants for indicators of compromise (IoCs).
This script will alert admins and security teams to artefacts that may need further review to find out if they are malicious or not – many of UNC2452’s TTPs can be used by legitimate tools in day-to-day activity, so correlating any activity found with allowed activities is very important.