News

Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

• By Kurt Mackie
• 01/19/2021

Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

Malwarebytes has inside knowledge to that effect because it, too, was a victim of this APT group, which is alleged to be a nation-state actor, with Russia having been named. Malwarebytes doesn't use the SolarWinds Orion management software, which got corrupted by a so-called "supply-chain" attack method of inserting code at the build stage, which is referred to as "Sunburst" or "Solorigate."

Instead, Malwarebytes was first notified it had a possible issue when it was contacted by the Microsoft Security Response Center about the suspicious activity of an application used with the Microsoft 365 service.

"We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks," explained Marcin Kleczynski, Malwarebytes CEO and co-founder, in the announcement.

Not Just Solorigate
The notion that the APT attackers were using other methods besides the compromised SolarWinds Orion product was explained earlier this month by the Cybersecurity and Infrastructure Security Agency (CISA). The attackers were also guessing passwords, using "password spray" methods to find weak passwords and tapping unsecured credentials -- all with an aim of getting access to Microsoft 365 and Azure services for the purpose of accessing e-mails.

CISA, and even Microsoft, had earlier suggested that the security of on-premises federation solutions with Microsoft 365 and Azure services could have been the weak point exploited by attackers to gain access to e-mail services. However, the announcement by Malwarebytes went a bit further and pointed to the 2019 research findings by Dirk-jan Mollema, a security researcher with Fox IT. Back then, Mollema had pointed to a security flaw associated with Azure Active Directory itself.

Mollema had explained that the credentialing process with applications using the Azure AD service can permit an attacker to obtain greater privileges than might be expected:

So the TL;DR is that if you compromise an Application Administrator account or the on-premise Sync Account you can read and modify directory settings, group memberships, user accounts, SharePoint sites and OneDrive files. This is done by assigning credentials to an existing service principal with these permissions and then impersonating these applications.

After reporting this Azure AD vulnerability to Microsoft, Mollema was told by the Microsoft Security Response Center that the behavior was "documented and thus not a vulnerability." It wasn't much of a response to the security issue. Mollema concluded that IT pros should check "credentials being assigned to default service principals," as well as the "credentials of applications with high privileges," as a precaution.

The announcement by Malwarebytes appears to be pointing to this method of attack, as described by Mollema. Possibly, it's the same mechanism that CISA was describing, or it's a "new" element used by the APT group.

In the attack on Malwarebytes, a "third-party application" with "sufficient administrative privileges" was used to access the Microsoft 365 e-mail of a few accounts using "a dormant email protection product within our Office 365 tenant."

Here's how Kleczynski described the attack on Malwarebytes:

In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

No Malwarebytes Software Compromise
The attackers did not access the e-mail used by the Malwarebytes production team, though, as "we do not use Azure cloud services in our production environments," Kleczynski explained. He added that "our software remains safe to use" since the production environment wasn't breached.

Kleczynski recommended using CrowdStrike's free tool for checking Azure AD risks. He also appealed to security companies to share more broadly what they know regarding these sophisticated APT attack methods.