Malwarebytes is the fourth major victim of Solarwinds breach after Microsoft,FireEye, Cisco

The intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by “abusing applications with privileged access to Microsoft Office 365 and Azure environments.” which had a dormant email protection app that remained dormant

The fact that initial vectors beyond SolarWinds software were used adds another missing piece to the wide-ranging espionage campaign, now believed to be carried out by a threat actor named UNC2452 (or Dark Halo). Malwarebytes office 365 tenant accessed by one of TTP published by CISA, which has a self signed certificate with Credential to Service account internally make API call to request mail via Microsoft Graph

The tactics adopted by the Dark Halo actor, noting that the attackers leveraged a combination of as many as four techniques to move laterally to the Microsoft 365 cloud.

  • Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users
  • Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.
  • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, and
  • Backdoor an existing Microsoft 365 application by adding a new application

The Mandiant-owned firm has also released an auditing script, called AZURE AD Investigator, that it said can help companies check their Microsoft 365 tenants for indicators of some of the techniques used by the SolarWinds hackers.