UPDATED 20:56 EDT / JANUARY 19 2021


Internal emails stolen in hack targeting cybersecurity company Malwarebytes

Cybersecurity software firm Malwarebytes Inc. has been hacked and internal emails stolen.

The hack, revealed today, is being attributed to the nation-state actor implicated in the Solar Winds Worldwide LLC breach, though Malwarebytes noted that it doesn’t use Solar Winds products itself. The intrusion vector involved attackers abusing applications with privileged access to Microsoft Office 365 and Azure environments.

The emails stolen are described only as a “limited subset of internal company emails” with no evidence of unauthorized access or compromise to any of the company internet on-premises or production environments.

The hack wasn’t initially detected by Malwarebytes but the Microsoft Security Response Center. It informed the company Dec. 15 of suspicious activity in its Office 365 tenant consistent with the tactics, techniques and procedures of the APT that targeted Solarwinds. An extensive investigation was launched with the hackers found to have leveraged a dormant email protection product within Malwarebyte’s Office 365 tenant.

The attack method that targeted Malwarebytes was referenced in a U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert titled “detecting post-compromise threat activity in Microsoft cloud environments” published Jan. 8. CISA specifically mentioned that it has seen an APT actor using compromised applications on a victim’s Microsoft 365/Azure environment. The APT used additional credentials and application programming interface access to cloud resources of private and public organizations.

The attacks have three components: compromising or bypassing federated identity solutions, using forged authentication to move laterally to Microsoft cloud environments and using privileged access to a victims’ cloud environment to establish difficult-to-detect persistence mechanisms for API-based access.

“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” noted Malwarebytes co-founder and Chief Executive Officer Marcin Kleczynski. “It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation-state actors.”

Image: Malwarebytes

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.