The nation-state threat actors behind the SolarWinds hack used more than malicious software updates to breach organizations.
In a blog post Tuesday, Malwarebytes disclosed it was targeted by the same threat actors with one major difference: Malwarebytes is not a SolarWinds customer. The antimalware vendor was breached through another vector that is separate from the supply chain attack revealed in December.
"We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure Environments," Malwarebytes CEO Marcin Kleczynski wrote in the blog post.
SearchSecurity asked Malwarebytes to expand on what those abused applications are.
"The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allows access to a limited subset of internal company emails," Kleczynski said in an email to SearchSecurity.
After an extensive investigation, Malwarebytes determined the "attacker only gained access to a limited subset of internal emails." According to the blog, no evidence of unauthorized access or compromise in any of their internal on-premises and production environments was found.
Initially, Malwarebytes was alerted to the intrusion on Dec. 15 by Microsoft's Security Response Center. According to the blog, the security vendor received information about suspicious activity from a third-party application in its Microsoft Office 365 tenant; the activity was consistent with the tactics, techniques and procedures (TTPs) used by the SolarWinds hackers.
"This investigation indicates the attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments," Kleczynski wrote.
Microsoft had previously confirmed that it was compromised in connection with the SolarWinds attack on Dec. 31, stating the discovery of one account that had been used to "view source code in a number of source code repositories." According to the blog post, the investigation "found no evidence of access to production services or customer data."
Subsequently, warnings of additional vectors, aside from the SolarWinds Orion platform used in the supply chain attack, were published. In an alert on Jan. 8, the Cybersecurity Infrastructure and Security Agency (CISA) said it detected post-compromise threat activity in Microsoft Cloud environments.
"The Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products," the alert said. "This alert addresses activity -- irrespective of the initial access vector leveraged -- that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in victim's Microsoft 365 (M365)/Azure environment."
One example of a Microsoft 365 breach occurred inside the Department of Justice (DOJ). On Jan. 6, DOJ spokesman Marc Raimondi issued a statement revealing that threat actors behind the SolarWinds attacks accessed the DOJ's Office 365 email environment.
While additional government agencies, along with tech giants and security vendors, have also been impacted by these nation-state attackers, they were all SolarWinds customers. The Malwarebytes breach represents the growing scope of the cyberespionage campaign.