Malwarebytes another victim of SolarWinds attack targeted after FireEye, Microsoft, and Crowd Strike. On Tuesday Malwarebytes said that there was data breached by the same group who attacked SolarWinds, but Malwarebytes doesn’t use any SolarWinds applications like other companies that were also targeted by the same group.

The company also said that instead of using the SolarWinds management system, the attackers take the initial access that works by that they can abuse the applications and get privileged access over Microsoft Office 365 and Azure environments.

Ami Luttwak the CTO and co-founder of Wiz said that “This SolarWinds backdoor attack is now turning out to be the most complicated and wide-spreading cyberattack we ever seen in our life. The hackers are able to compromise multiple companies as a backdoor and use multiple tools and attack methods. This attack is now not about the SolarWinds only.”

What Happen with Malwarebytes?

Whereas, on 15th December Microsoft security team reported malicious activity from a third-party email-security application used by Malwarebytes. This malicious activity is visible in the API calls, after that Malwarebytes and Microsoft stated an extensive investigation and get this result.

According to the CISA report, the attackers may get the initial access by password spraying or password guessing in place to exploring the administrative or authorized credentials. Whereas Malwarebytes says that the attackers added a signed certificate with authorized credentials to the administrative account. From there, they start authentication and making API calls while requesting the emails through MSGraph.

These techniques, procedures, and tactics are turned out to be the same as the SolarWinds APT, used in case of espionage that affected some internal company emails and they have not found any evidence related to unauthorized access or any type of compromise occurs in the company internal or production environment. They do not use Azure cloud services in our production environments.

Throughout the investigation of the Source code of Malwarebytes, there is no sign of unauthorized access or any type of compromise happened.

On the other hand, FireEye published detail of techniques that were used by the hackers, while compromising the organization are listed below;

• They had to steal ADFS token or signing certificate and use it to forge tokens for arbitrary users.
• They modify or add trusted domains in Azure AD to add new Idp that the attacker controls
• Backdoor can exist in Microsoft 365 application by adding a new application
• Compromising the credentials of on-premises user accounts that used to synchronized to Microsoft 365 that have the high directory roles

The firm also releases an auditing script called Azure AD Investigator that can help the organizations to check their Microsoft 365 tenants with some techniques used by SolarWinds hackers.

Also, the spokesperson from Malwarebytes says that this is the nation-state attack the targeted multiple organization that includes security firms and they are declined to provide any information related to TTP linking or related to SolarWinds attackers.

Why Hackers Choose Security Firms? 

Luttwak also says that why the SolarWinds attackers targeted security companies? They just wanted to feed the beast with the power they have and by doing this they are increasing their capabilities to attack other companies and get their capabilities too for further attack. This is all started as a game with the FireEye tools, now it is rapidly growing day by day and targeting several organizations.

The attacker’s main benefit while attacking Malwarebytes is, the company has endless capabilities each of their computers is working as a security agent and also have a cloud portal that authorizes to execute the commands directly to the computer.

Summering Up

We had learned so many things from this attack in such a short period, and much more is yet to be discovered about the wide-spreading attack that has targeted so many high profile security firms. It is very impressive that the security firms are still sharing the information to help the industry with these types of sophisticated attacks conducted worldwide.