Malwarebytes CEO Says SolarWinds Attackers Accessed Internal Company Emails

Anti-malware software company Malwarebytes company itself is a victim of the SolarWinds attack, the company announced this week.

In a blog, CEO Marcin Kleczynski said the company has evidence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.

Attackers gained access to a limited subset of internal company emails, but further investigation didn’t turn up evidence of further unauthorized access or compromise in any of the company’s internal on-premises and production environments.

Today, I disclosed publicly that @Malwarebytes had been targeted by the same nation state actor that attacked SolarWinds. This attack is much broader than SolarWinds and I expect more companies will come forward soon.

— Marcin Kleczynski (@mkleczynski) January 19, 2021

I should have linked to the actual blog post. My apologies everyone. More details here:https://t.co/RudTCa5UCt

— Marcin Kleczynski (@mkleczynski) January 19, 2021

According to Kleczynski, the company was notified by Microsoft on Dec. 15 about suspicious activity from a third-party application in its Microsoft Office 365 tenant that resembled activity known to be associated with the group behind the SolarWinds compromise.

Attackers were able to compromise a March 2020 update of the SolarWinds Orion IT management platform that essentially gave the group – believed to be backed by the Russian government – access into nearly 18,000 customer networks.

High-profile government agencies and technology companies have reported evidence of a further breach by the same group.

Along with Microsoft security personnel, Malwarebytes investigated its cloud and on-premises environments for activity and found that attackers leveraged a dormant email protection product within its Office 365 tenant that allowed access to some internal company emails.

Fearing the company’s products were being leveraged by the attackers, the company investigated its source code, build and delivery processes and even reverse engineered its own software, but found no evidence of compromise.

“Our software remains safe,” Kleczynski wrote.

He also describes how threat actors are obtaining initial access by password guessing or spraying in addition to exploiting administrative or service credentials.

Part of his post speaks to a larger concern among cybersecurity experts: that what we have learned so far about this attack is just the tip of the iceberg.

“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors,” Kleczynski wrote.