In what seems to be the early ripple effect following the recent successful use of supply chain attacks, Cybersecurity Software firm, Malwarebytes Inc. confirms they have been breached by the same nation-state actors as those responsible for the SolarWinds attacks.
Perhaps one of the most haunting characteristics of the recent Russian hacking campaign, first identified in December of 2020, is the insidious use of supply chain attacks – a single successful compromise leading to the breach of potentially thousands of associated targets. Beyond their initial access, the threat actors went to work sifting through their target’s networks searching for valuable and sensitive intel that could be leveraged to their advantage. Today, cybersecurity researchers are urging organizations of all capacities to remain vigilant as the supply chain attacks are likely to continue.
Malwarebytes attributes the attack to the same nation-state threat actors connected to the SolarWinds attack. Interestingly enough, Malwarebytes does not use SolarWinds Products, however, as noted, it’s not so much the software that sets these attacks apart, rather the supply chain attack methodology that makes them unique and incredibly destructive.
In their latest blog to outline the incident, Malwarebytes addresses the impact of the intrusion vector which makes use of applications with privileged access to Microsoft Office 365 and Azure environments. Through a detailed investigation, Malwarebytes is confident that the attackers were only able to gain access to a very limited set of internal company emails – stating there were no indicators of compromise in any of the on-premise, internal systems or production environments.
Initial Discovery and Common Elements
The initial discovery of the intrusion was not identified by Malwarebytes themselves, but instead, the Microsoft Security Response team. On December 15th, 2020, suspicious activity was identified on a third-party application in Malwarebytes Microsoft Office 365 tenant. To their horror, the tactics, techniques and procedures (TTPs) were identified as consistent with the same threat actors responsible for the supply chain attacks against SolarWinds.
Analysts of the SolarWinds attacks have since recognized that the SolarWinds vulnerability was not the only method hackers utilized to breach networks across the globe. Cybersecurity firm, Symantec, has identified a fourth form of malware, following Sunburst, SunSpot and Teardrop, named Raindrop, that was not delivered through the SolarWinds attacks. While, the method of delivery is still unknown, the important message is the need to scan for other strains of malware that may be related – as is the case with the supply chain attack attempts on Malwarebytes.
A newly released CISA report speculates that threat actors may have acquired initial access to Malwarebytes through password spraying in addition to exploiting administrative or service credentials. In this particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. Following this, they would have the ability to authenticate using the key and send API calls to request emails through MSGraph.
In spite of their method of delivery, the supply chain attacks have three components in common – compromising or evading federated identity solutions, using forged authentication to move laterally to Microsoft cloud environments and finally, exploiting administrative credentials to facilitate privileged access to a victims’ cloud environment to establish stealth-like persistence mechanisms for API-based access.
In other words, supply chain attacks do not rely on specific vulnerabilities that can be patched, rather, they rely on an initial attack that positions them with the ability to control Microsoft Office 365 and Azure in a manner than appears completely authentic.
“Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use.”
In order to remain protected from supply chain attacks, organizations must make sure their identity provider services are configured accurately and that network managers have complete visibility into what each system is doing. As well, it is critical to harden systems so that only administrative users have privileges to modify them. Finally, it’s essential to monitor how tokens are used to identify any anomalous activity. As details to the SolarWinds attack continue to develop, repercussions likely being identified well into the foreseeable future. If you would like to learn more about supply chain attacks, or how Packetlabs services can protect your organization, please contact us today for a services consultation.