Malwarebytes said it was hacked by the same group who breached SolarWinds

Share the Post:

US cybersecurity firm Malwarebytes recently joined the ever-expanding list of security companies that have been attacked by Dark Halo, the same group that targeted SolarWind in 2020. FireEye, Microsoft, and CrowdStrike are also on the list.

Malwarebytes disclosed the incident in an emailed statement, where it confirmed that the intrusion was carried out by “the same threat actor” that attacked Texas-based company, Solarwind –  a conclusion is reached based on the techniques tactics and procedures used.

However, the security firm was keen to disclose that the attack is not directly related to the SolarWinds supply incident since the company doesn’t use any of the SolarWinds software in its internal network.

Instead, the hackers exploited a weakness in the Azure Active Directory and a dormant email protection product within its Office 365 applications to breach the company’s internal systems.

Malwarebytes was informed of the breach on December 15, 2020, by the Microsoft Security Response Center (MSRC) which detected suspicious activity from the dormant Office 365 security software.

Microsoft was able to discover the activity because at the time it is was auditing its Office 365 and Azure systems for signs of malicious apps built by the SolarWinds hackers, also known in cyber-security space as UNC2452.

Once Malwarebytes learned of the breach it immediately swung into action and began an extensive internal investigation to determine what hackers accessed.

According to Marcin Kleczynski, Malwarebytes’ co-founder and current CEO “A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials,”

“In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGrap,,” they added

In other words, they determined the attacker only gained access to a limited subset of internal company emails.

Malwarebytes Products Are Not Affected

Since the previous attack by the same actor involved poisoning Solarwind’s software by injecting the Sunburst malware into some updates for the Solarwind Orion app, Malwarebytes also performed a very thorough audit of all its products and their source code, searching for any signs of a related compromise.

Fortunately for the security company, no such compromise was detected.

“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments, our software remains safe to use,” said Kleczynski.

In an online statement, a Malwarebytes spokeswoman said, “While we were fortunate to experience a limited impact on our business, this scenario underscores the need for the industry to continue to collaborate in efforts to prevent increasingly complex nation-state attacks.”

Malwarebytes’ notice marks the fourth time a major security provider has disclosed it was targeted by the UNC2452/Dark Halo threat actor – a group the US officials have linked to a Russian government cyber-espionage operation. Unfortunately, FireEye and Microsoft were not as lucky as Malwarebytes as reports suggest that Dark Halo’s attacks on these companies were successful. Besides, security vendors, these cyber attackers also target government agencies.

Departments of Defense, Justice, Treasury, Commerce, and Homeland Security and the National Institutes of Health are all agencies reported to have been affected.

Related Posts

Colonial Pipeline Hack: What We Know So Far

On May 7th, Colonial Pipeline experienced a significant cyberattack that resulted in a total shutdown of its operations, leading to widespread fuel shortages. Shortly thereafter, it became evident that the incident involved ransomware, with reports indicating that the company made a payment of nearly US$5 million to the attackers, which contradicted their public statements. The cybercriminal organization, known as DarkSide, issued an atypical apology, asserting that their motive was profit rather than chaos. As Colonial Pipeline initiates the process of resuming operations, developments concerning DarkSide follow a surprising trajectory. Explore the complete narrative behind this critical cyber incident and its broader implications.

Read More

Ransomware attack halts Sierra Wireless Production Activities

Sierra Wireless, a leader in internet-of-things solutions, recently fell victim to a significant ransomware attack that brought its production activities to a standstill. The incident, which began on March 20th, not only disrupted manufacturing but also affected internal operations and the company’s website. As the team works diligently to restore systems, questions loom about the potential impact on customer data and the overall financial repercussions. With cybersecurity protocols in place, the company remains tight-lipped about the specifics of the attack. Discover how this incident reflects the growing threat of ransomware in today’s digital landscape.

Read More