Malwarebytes targeted by UNC2452.
Malwarebytes disclosed on Tuesday that it had been targeted by the same nation-state actor responsible for the Solorigate cyberespionage campaign, although the breach appears to have been limited to some company emails:
"While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.
"We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks.
"We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team (DART). Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert. The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.
"Considering the supply chain nature of the SolarWinds attack, and in an abundance of caution, we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software. Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use."
The incident further highlights the fact that SolarWinds wasn't the only avenue of attack used by these threat actors. ZDNet notes that Malwarebytes is the fourth security vendor known to be targeted in this campaign (the others being FireEye, Microsoft, and CrowdStrike). FireEye, which tracks the Solorigate threat actor as "UNC2452," has published a detailed white paper with guidelines for defending against the adversary's tactics.