Security researchers from cybersecurity firm Malwarebytes have confirmed that the cybercriminals responsible for the attack on SolarWinds' supply chain were able to access the company's email.
“Although Malwarebytes does not use SolarWinds software, we, like many other companies, were recently attacked by the same attacker. We can confirm the existence of another vector of attacks involving the abuse of applications with privileged access to Microsoft Office 365 and Azure environments, ”said Marcin Kleczynski, CEO and co-founder of Malwarebytes.
On December 15, experts said they received a notification from Microsoft Security Response Center of suspicious activity of a third-party application in the Microsoft Office 365 client, consistent with the tactics, methods and procedures of the same criminals who participated in the attacks on SolarWinds. The investigation showed that attackers took advantage of an Azure Active Directory vulnerability that allowed access to a limited set of internal company email.
Given the nature of the attack on SolarWinds' supply chains and with extreme caution, the team immediately conducted a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering of their own software. The back-end systems showed no evidence of unauthorized access or tampering in any on-premises and production environments. The software is safe to use, the researchers said.
Amid ongoing investigations, FireEye has released a network audit tool for the techniques hackers use to break into SolarWinds networks. A free tool called Azure AD Investigator is designed to help companies determine if SolarWinds hackers have used any of these methods on their networks.
FireEye also released a report describing the stages of the attack:
- Stealing the Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users. This allows you to authenticate with a federated resource provider (such as Microsoft 365) as any user without having to enter a password or go through multi-factor authentication.
- Modify trusted domains in Azure AD to add a new federated identity provider (IdP) that is controlled by an attacker.
- Compromised credentials of local user accounts that are synced with Microsoft 365 and have high privileges.
- Hacking an existing Microsoft 365 app by adding fraudulent credentials to it to use legitimate permissions such as being able to read email, send email on behalf of any user, access users' calendars, and more.