Major security and antivirus firm Malwarebytes says it was a victim of the recent SolarWinds breach through the Solarigate malware. Since last year, the state-backed breach has targeted users of the SolarWinds app Orion, including Nvidia, Microsoft, and government organizations.
In an official blog post, Malwarebytes points out it is not a user of SolarWinds apps. However, the company was breached through another vector that has already been compromised. The attack came from already breached apps that had access to Microsoft 365 and Azure services. Malwarebytes does use those two Microsoft services.
Attackers were able to access “a limited subset of internal company emails” but not any production systems.
Malwarebytes worked directly with the Microsoft Detection and Response Team (DART) to find the attack, says CEO Marcin Klecynski:
“Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails.”
Moving forward, Malwarebytes says it is working with other security firms to share information. It is hoped it will become easier to mitigate Solarigate attacks and find responses that work to stop breaches.
Earlier this month, the U.S. Department of Justice confirmed a Microsoft 365 breach related to the SolarWinds attack. According to the government agency, the breach left 3% of its mailbox vulnerable. However, no classified information was stolen during the attack.
While the Solarigate malware can be delivered through Microsoft services, it is not caused by them. Russia-backed threat actors used the avsvmcloud.com website to host a server for the Solorigate malware. The infection was sent to 18,000 SolarWinds Orion customers. Many of those users are major organizations and government departments.
Last month, Microsoft President Brad Smith said the attack creates “serious technological vulnerability for the United States and the world”.
Also in December, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.
Tip of the day:
Did you know that a virtual drive on Windows 10 can help you with disk management for various reasons? A virtual drive is just simulated by the platform as a separate drive while the holding file might be stored anywhere on your system .
The data in the drive is available in files or folders, which are represented by software in the operating system as a drive. In our tutorial we show you different ways how to setup and use such virtual drives.