Malwarebytes Said It Was Hacked By the Same Group Who Breached SolarWinds

US cyber-security firm Malwarebytes said it was hacked by "Dark Halo," the same group which breached IT software company SolarWinds last year. ZDNet reports: Malwarebytes said its intrusion is not related to the SolarWinds supply chain incident since the company doesn't use any of SolarWinds software in its internal network. Instead, the security firm said the hackers breached its internal systems by exploiting an Azure Active Directory weakness and abusing malicious Office 365 applications. Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.

At the time, Microsoft was auditing its Office 365 and Azure infrastructures for signs of malicious apps created by the SolarWinds hackers, also known in cyber-security circles as UNC2452 or Dark Halo. Malwarebytes said that once it learned of the breach, it began an internal investigation to determine what hackers accessed. "After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails," said Marcin Kleczynski, Malwarebytes co-founder and current CEO.

Enable 2FA and pray

[WoodstockJeff]

Office365 without 2FA is very easy to social-engineer your way in. If it isn't turned on, expect that you already have been hacked.

Re:Enable 2FA and pray

[awwshit]

Definitely worth checking Sign-Ins in AAD. I see login attempts from all over the world on a regular basis. I highly recommend using Conditional Access policies.

Re:

[awwshit]

Wondering if its related to this:
https://threatpost.com/mimecas... [threatpost.com]

This blows my mind

[ddtmm]

Why would a cyber security company trust their data to the cloud? Are they tat incapable of internal IT infrastructure? Of all people that should be able to incorporate the best security that can be implemented you would think it would be them. The only thing I can think is their a combination of lazy and cheap. Even I don't trust my data to the cloud. Are my defenses any better than theirs? Good question and probably not, but I'm not a security firm with assets like theirs to protect. What an embarrassment.

tell it to Atlassian unless buy an 500 man severer

[Joe_Dragon]

tell it to Atlassian unless buy an 500 man server they want you on cloud

Security has 100 specializations. Ask FireEye

[raymorris]

> Are they tat incapable of internal IT infrastructure? Of all people that should be able to incorporate the best security that can be implemented you would think it would be them.

Yes, MalwareBytes is self-aware enough to know that their expertise is Windows malware detection - not networking, not hardware, not enterprise storage, not databases, not IAM, not web application security, not east-west traffic monitoring, etc. They've even told me recently that they aren't that good at malware REMOVAL, just detection. By the way, they are correct about that - in my testing, their removal tools were a total failure. It's an area they want to eventually become good at.

Contrast FireEye. FireEye lost 30% of their stock value in a month by failing to recognize that their expertise, while impressive, is focused and therefore limited.

A few years ago FireEye was the number one for malware detection. Their approach was based on an aplicance through which all incoming and outgoing traffic for the client would pass. Within this appliance, the FireEye software would run any potentially dangerous files such as exe, .bat or macro-enabled Office documents in a specially instrumented virtual machine. Running them in the VM allowed the FireEye software to see exactly what the file actually does.

The FireEye appliance had a browser-based interface for security administrators like my team to see what FireEye had detected and that sort of thing. Which means the FireEye appliance was running a web site. The web site and server built into the FireEye appliance was a total shit show in terms of security. Whomever at FireEye built their UI obviously didn't have the faintest clue about web application security. So of course it got hacked. It was running as ROOT (think Administrator), which is absolutely idiotic. That's not the default for a web server under Linux - FireEye had to go out of their way and ignore or disable automatic warnings to make get that level of stupid to happen.

So the bad guys could easily get root (admin) control of the OS on the FireEye appliance. The appliance that all traffic to and from the client goes through. That's any the best gift you could possibly give the bad guys, maybe except giving them Domain Admin.

FireEye stock dropped 30% when that news came out, meaning the owners lost many millions of dollars.

FireEye's mistake - thinking that just because they were industry leading experts on Windows malware that somehow made them qualified to build a secure web application. In fact they clearly knew nothing whatsoever about web application security. They clearly hadn't even taken 30 minutes to learn a little about the OWASP Top 10.

MalwareBytes isn't making the same mistake, thinking that they know everything about everything. The Azure team knows about secure vlan configuration, how to avoid ARP spoofing, etc. The Malwarebytes team knows how to detect Windows malware. MalwareBytes is wisely sticking to their core expertise by allowing others who have the appropriate expertise handle areas that aren't MalwareBytes core competency.

Re:

[kot-begemot-uk]

Very good summary.

However, your summary failed something. They are sufficiently in the business of security to understand that basic Microsoft Azure, etc cloud is not fit for the purposes of running a security business. If you shove that to a cloud, at least use a cloud with sufficient security features and sufficient paranoia levels. I am surprised that one has not emerged yet. Let's hope that the Solar Winds Clusterf*ck (TM) leads to the emergence of one.

Re:

[minorityreport]

It isn't it patently obvious by now that neither FireEye, Malwarebytes or Microsoft has any competence in the area of "cyber" security.

“We have this category that Equifax calls unhandled malware, [with] which traditional security approaches haven’t been very helpful. Putting in FireEye has really helped us detect this unhandled malware, then gives us the capability to take action to stay secure.” Equifax [cnmeonline.com]

Re:

[awwshit]

Exchange is pretty typical for many organizations. The Office 365 offering makes it really affordable and it comes with continuous updates. Also means more attacks pointed at MS infrastructure and less at yours. Unless you write all of your own software at some point you have to trust others.

Seems that not everyone using Office 365 received these malicious Office applications, which is interesting all by itself.

Re:

[Fly Swatter]

More embarrassing: they had to be notified of their own security breach by an outside party (Microsoft). Ouch.

Install Anti-Virus software

[Dukenukemx]

If only Malwarebytes was in the business of security and knew what to do to secure themselves.

Windows [insert random version moniker here]

[zkiwi34]

The least, sorry, _most secure_ Windows ever.

What hasnâ(TM)t been hacked because of it, or its companion products?

Welll.... That's ironic

[aldousd666]

Considering they are a company who makes money removing hacks and protecting people, supposedly. Now all bets are off. The hack in solarwinds is a backdoor. It has full privileges. It is essentially shoveling a root shell into the internet. This means, any one of these machines that isn't wiped to the firmware is potentially root-kitted, and there is NO way to detect it. It can hide processes, files, recompile things, download new polymorphs of the same code from the internet at any time, and you would N

"abusing malicious Office 365 applications"

[Bu11etmagnet]

I always suspected Excel, Office and Teams to be malicious, and now there's proof.

Cloud more risks

[GreenHawk]

A reason to not using cloud services and use on premise ones. Pick Security suites: vendors tend to terminate on premise version in favor of cloud one. But then you risk to be hacked and you can do nothing (apart from change vendor).