MALWAREBYTES SOLARWINDS OFFICECIMPANUZDNET PASSWORD The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments. “We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained. “The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.” Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments. The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks. They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said. The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.The group, which has been dubbed UNC2452, also turned over FireEye – the initial incident that led investigators to the SolarWinds compromise – and a number of other tech firms, however, its compromise of Malwarebytes was not carried out via SolarWinds, as the two firms do not have a relationship. In a message disclosing the incident, Malwarebytes CEO Marcin Kleczynski said that there was no doubt the company was attacked by the same gang. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he wrote. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorised access or compromise in any of our internal on-premise and production environments.”
Malwarebytes first learned of suspicious activity, consistent with the tactics, techniques and procedures (TTPs) of UNC2452, from a third-party application within its Microsoft Office 365 tenant from Microsoft’s Security Response Centre on 15 December 2020.Īt that point, it activated its own incident response procedures and engaged assistance from Microsoft to investigate its cloud and on-premise environments for activity related to the application programming interface (API) calls that triggered the alert. The investigators found UNC2452 exploited a dormant email protection product within its Office 365 tenant that gave it access to a “limited subset” of internal emails – note that it does not use Azure cloud services in its production environments. UNC2452 is known to use additional means besides Solorigate/Sunburst to compromise high-value targets leveraging admin or service credentials. In this case, a flaw in Azure Active Directory first exposed in 2019, which allows one to escalate privileges by assigning credentials to applications, giving backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph. MALWAREBYTES SOLARWINDS OFFICECIMPANUZDNET PASSWORD.
0 kommentar(er)
