Ad End 1 August 2026
Ad End 4 july 2026
ad End 17 June 2026
ad End 25 July 2026
banner Expire 27 September 2026
adv exp at 20 April 2026
banner Expire 25 July 2025
Ads end 31 October 2026
What's new
Ad expires at 9 July 2026
Ads end 31 October 2026
Wizard's shop 2.0
RonalClub cc shop
Patrick Stash
Luki Crown
best shop
best shop

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
8,081
Reaction score
1,053
Points
212
Awards
2
  • trusted user
  • Rich User
Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.

While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.

The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.

“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.

The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.

They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.

The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said.

The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.
 
Ad End 1 November 2024
Top