Malwarebytes, the new victim of SolarWinds hackers

The executives of cybersecurity firm Malwarebytes have revealed that their systems were hacked by the same group of threat actors responsible for the recent incident at SolarWinds. Malwarebytes does not employ SolarWinds solutions, so the company rules out that these incidents are directly related.

On the possible attack vector, the company mentions that hackers would have gained access by exploiting an unpatched vulnerability in Azure Active Directory and using some malicious applications for Office 365. The Microsoft Security Response Center (MSRC) was notified of the incident late last year.

Additional reports indicate that, at the time of receipt of this report, Microsoft was conducting a strict audit in Office 365 and Azure for possible malicious activity related to SolarWinds hackers, identified as Dark Halo or UNC2452.

Malwarebytes’ security team began an investigation immediately after detecting the intrusion: “After extensive research, we determined that threat actors accessed only a limited subset of our employees’ email addresses,” said CEO Marcin Kleczynski.

La imagen tiene un atributo ALT vacío; su nombre de archivo es malwarebytes19012021.jpg

The main concern for Malwarebytes was that attackers had managed to inject Sunburst malware into their systems, which would have made it easier to install backdoors. The audit deployed by the company’s researchers focused on finding any indicator of engagement similar to the past supply chain attack: “Our internal systems showed no evidence of unauthorized access or compromise in any local and production environment,” Kleczynski said.

In this way Malwarebytes becomes the fourth security company affected by Dark Halo, a group allegedly linked to the Russian government although these remain speculation. Microsoft, CrowdStrike and FireEye have also been targets of this hacking group.