Malwarebytes: SolarWinds Hackers Read Our Emails
Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.
While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.
The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.
“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.
“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”
Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.
The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.
They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary ..