[German]Security vendor Malwarebytes has now also announced that its Office 365 and Azure systems have been hacked by the same attacker responsible for the SolarWinds attacks. However, the attack is not via the Sunburst backdoor in the SolarWinds Orion software, but via a different malware. For example, the attackers had access to emails from Malwarebyte. Symantec also reports a new malware that uses 7-Zip to infect some victims’ systems. The same attackers are probably behind this malware.
Malwarebytes reports hack
Malwarebytes had generally reported the SolarWinds hacking operation involving over 200 victims in the US on December 14, 2020. The article generally listed the available information, which makes sense. After all, Malwarebytes also provides malware detection software. Now, about a month later, they reported, that they themselves were victims of this successful hack. Here is the core data.
- Malwarebytes was targeted by state hackers responsible for the SolarWinds operation.
- There is evidence that points to an abuse of privileged access to Microsoft Office 365 and Azure environments.
- Since Malwarebytes does not use SolarWinds Orion, the attack occurred via a different vector that allows the misuse of applications with privileged access to Microsoft Office 365 and Azure environments.
- Malwarebytes was notified by the Microsoft Security Response Center on December 15, 2020, of suspicious activity by a third-party application in the Microsoft Office 365 tenant.
- The MSRC information also stated that the activity was consistent with the tactics, techniques, and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.
- After an extensive investigation, it is known that the attacker only gained access to a limited subset of the company’s internal emails.
- No evidence of unauthorized access or compromise was found in any of the internal Malwarebyte on-premises and production environments.
Upon notification by Microsoft’s MSRC, the Malwarebytes Incident Response Group was immediately activated and Microsoft’s Detection and Response Team (DART) was engaged. Together, the teams then conducted a comprehensive investigation of both Malwarebytes cloud and on-premises environments for activity related to the API calls that triggered the initial alert. The investigation revealed that the attackers were exploiting an inactive email protection product within the Malwarebytes Office 365 tenant. This allowed access to a limited subset of internal corporate email. Malwarebytes notes that it does not use Azure cloud services in its production environments.
Bleeping Computer reported, that the hacker used a self-signed certificate with credentials to the Microsoft Graph service principal account to access the emails.
Malwarebyte production systems not affected
Given the supply chain nature of the SolarWinds attack, an immediate investigation was conducted into all Malwarebytes source code and build and deployment processes. This included reverse engineering of their own software. All internal Malwarebytes systems showed no signs of unauthorized access or compromise across all on-premises and production environments. The vendor states that MalwareBytes software is still safe to use.
Whether there’s anything more to come will have to wait and see. Malwarebytes seems to have gotten away with a ‘black eye’. Further details can be found in the Malwarebytes announcement.
Attackers disguise dropper via 7-Zip
Symantec security researchers describe in this blog post that they have uncovered an additional piece of malware. This was used in the SolarWinds attacks and deployed against a select number of victims of interest to the attackers.
Symantec calls the malware Raindrop (Backdoor.Raindrop), which is a loader that delivers a Cobalt Strike payload. Raindrop is very similar to the previously documented Teardrop tool, but there are some important differences between the two.
- While Teardrop was delivered by the original Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used to spread on the victim’s network.
- Symantec has not yet found any evidence that Raindrop was spread directly from Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.
One victim had SunBurst installed via the SolarWinds Orion update in early July 2020. This has been extensively documented; in the victim’s case, two computers were compromised in this way. Teardrop was then installed on one of these computers the following day. On this system, analysis then revealed that an Active Directory query tool was installed, as well as a credential dumper specifically designed for SolarWinds Orion databases. The credential dumper was similar to the open source Solarflare tool.
Eleven days later, a copy of the previously undetected Raindrop malware was installed under the name bproxy.dll on a system of the SolarWinds attack victim on which no malicious activity had been observed before. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization..
An hour later, the Raindrop malware installed an additional file called “7z.dll.” Symantec security researchers were unable to retrieve this file (it had probably already been deleted). But within a few hours, they write, a legitimate version of 7zip was used to extract what appeared to be a copy of Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used to query Active Directory servers and retrieve data, typically passwords, keys or password hashes.
An additional tool called mc_store.exe was later installed on this computer by the attackers. The tool is an unknown application packed with PyInstaller. No other activity was observed on this computer.
Timeline of the SunBurst attack, Source: Symantec
Symantec has published the above graphic showing the timeline of the attack on the victim’s system. The blog post describes other scenarios of attacks on additional victims. What is new is that another malware, compressed via 7-Zip and thus possibly cloaked, was used.
Since December 2020, a large-scale hacking campaign has shaken the IT world, especially in the USA but also in other countries. Suspected state hackers had succeeded in infiltrating a backdoor into the SolarWinds Orion software. This SolarBurst backdoor was then delivered to 18,000 customers with a regular SolarWinds Orion software update. Orion software is used by many government agencies and businesses.
It is now known that the actors hacked more than 100 U.S. government agencies and companies via this backdoor, as well as other malware, in order to obtain information from them. The hackers were able to move undetected in the victims’ networks for months. The case came to light because the hackers pilfered security vendor FireEye’s so-called Red Team tools during a hack, and the attack caught the eye of a company employee. Subsequent articles contain more information.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Cookies helps to fund this blog: Cookie settings