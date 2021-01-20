Infosecurity Group Websites
Latest
News

Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.

While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.

The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.

“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.

The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.

They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.

The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said.

The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Health Insurer Fined $5.1m Over Data Breach

2
News

Trump Sex Scandal Video Is a RAT

3
News

Cloud Config Error Exposes X-Rated College Pics

4
News

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

5
News Feature

The End of Adobe Flash: What Will Post-Support Life Look Like?

6
News

NSA Appoints Cyber Director

1
News

Kentucky Senior Arrested for Identity Theft

2
News

Trump Pardons Google Trade Secret Thief

3
News

US Marines Create "Blue Team"

4
News

Panel Reflects on How Orgs Should Approach Security in 2021

5
News

#Inauguration2021: Cyber-Experts React as Joe Biden Set to Become 46th US President

6
Blog

Cybersecurity in 2021: People, Process and Technology to Integrate More Than Ever Before

1
Webinar

FTP, FTPS & SFTP: Which Protocol Should You Use, and When?

2
Webinar

2021: The Year Zero Trust Overtakes VPN?

3
Webinar

How to Secure the Most Vital Data Channel in Your Organization: File Transfers

4
Webinar

Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms

5
Webinar

Fulfilling Network Security Requirements and Business Needs

6
Webinar

The Top Five Security Metrics

1
News Feature

The Growing Threat of #COVID19 Vaccine Phishing Scams

2
Blog

Taking the First Steps Toward Self-Repairing Endpoints

3
Opinion

Privacy Post-COVID: Predictions for 2021

4
Opinion

#HowTo: Build a Business Case for Cybersecurity Investment

5
Webinar

2021: The Year Zero Trust Overtakes VPN?