Similarly, Microsoft recently informed Mimecast that a sophisticated threat actor had compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, Mimecast said Jan. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email, according to Sentonas. 15 by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, CrowdStrike CTO Michael Sentonas disclosed Dec. Like Malwarebytes, Sunnyvale, Calif.-based endpoint security rival CrowdStrike was contacted on Dec. “We have not identified any vulnerabilities in our products or cloud services.” “Our ongoing investigation of recent attacks has found this advanced and sophisticated threat actor had several techniques in their toolkit,” Microsoft spokesman Jeff Jones told CRN in a statement. In September 2019, Mollema found that the vulnerability still existed and essentially provided backdoor access to principals’ credentials in Microsoft Graph and Azure Active Directory Graph, Kleczynski said. Kleczynski noted that security researcher Dirk-jan Mollema had two years ago exposed a flaw in Azure Active Directory where one could escalate privileges by assigning credentials to applications. “Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant.” “The adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials,” Kleczynski wrote. From there, Kleczynski said hackers can authenticate using the key and make API calls to request emails via Microsoft Graph. In the Malwarebytes situation, Kleczynski said the threat actor added a self-signed certificate with credentials to the service principal account. Malwarebytes doesn’t use Azure cloud services in its production environments, he said. The Malwarebytes compromise confirms the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments, according to Kleczynski.
MALWAREBYTES AZURE OFFICECIMPANUZDNET SOFTWARE
The company’s internal systems show no evidence of unauthorized access or compromise in any on-premises and production environments, and Malwarebytes’ software remains safe to use, according to Kleczynski. Kleczynski said Malwarebytes immediately performed a thorough investigation of all its source code, build and delivery processes, including reverse engineering the company’s own software. “The investigation indicates the attackers leveraged a dormant email production product within our Office 365 tenant that allowed access to a limited subset of internal company emails,” Kleczynski wrote in the blog post.
MALWAREBYTES AZURE OFFICECIMPANUZDNET CODE
Malwarebytes doesn’t itself use the SolarWinds Orion network monitoring tool that hackers for months injected malicious code into. Malwarebytes’ incident response group and Microsoft’s Detection and Response Team joined forces to perform an extensive investigation of both Malwarebytes’ cloud and on-premises environments for any activity related to the API calls that trigged the initial alert, Kleczynski said. The suspicious activity was consistent with the tactics, techniques of procedures of the hacker behind the SolarWinds attack. 15 from the Microsoft Security Response Center about suspicious activity from a third-party application in its Office 365 tenant, Malwarebytes CEO Marcin Kleczynski wrote in a blog post Tuesday.
The Santa Clara, Calif.-based endpoint security vendor said it received information Dec. The Russian hackers behind the massive SolarWinds attack gained access to a limited subset of Malwarebytes’ internal company emails stored in Microsoft Office 365.
0 kommentar(er)
