Malwarebytes Hack – Dark Halo Strikes Again

Malwarebytes is the fourth cybersecurity vendor hacked by the “Dark Halo” hacker group, the same group behind the attacks on SolarWinds, FireEye and Crowdstrike.

What makes these attacks so interesting is how the group uses different attack strategies for each company they target. The attack on Malwarebytes is a completely different attack, not related to the supply-chain based attack on SolarWinds which caused quite a stir last year. Similar to SolarWinds, Malwarebytes reported their products were not impacted by the hack following a complete investigation into their production environments. The SolarWinds hack proved to be devastating as multiple companies and organizations became compromised, including several departments within the U.S. Government. While the scope of this attack is smaller, it remains troubling how security vendors are being specifically targeted by Dark Halo in such a myriad of different ways.

A representative from Malwarebytes said “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.

Attackers were able to gain access to internal emails and so far, there has been no evidence of unauthorized access or compromise to the Malwarebytes production environments. The hackers first breached the system by getting past authentication measures employing methods such as password spraying or password guessing in combination with using an Office 365 email protection product which was lying dormant on the system. They then exploited a flaw within Azure to escalate privileges by assigning credentials to certain applications and then, using a self-signed certificate with credentials to a service account, were then able to authenticate, request, and obtain internal emails from within the company.

Due to the limited scope of this attack, Malwarebytes was able to bring the situation under control. They recommend securing any and all Azure tenants for any company using Azure to avoid a similar attack in the future, although this could be difficult to implement due to the fact there are many third-party applications that make it challenging to enumerate such tenants.

While this coordinated attack specifically targeting security vendors is concerning, it is heartening to see the security community come together and help one another in the wake of these incidents. Malwarebytes reports that there has been a lot of open communication with the other targeted companies which allowed them to share details and develop resolutions much faster. Now more than ever, there is a dire need for people to step up to the plate and harden their defenses.

Security vendor companies are just like any other company. There is a need for organizations to begin reviewing their infrastructure, conducting more rigorous penetration tests, and reassessing the third-party risk management applications and services they’ve come to rely on to protect themselves from such savvy attackers. The attacks in the recent days just prove that no matter what company or industry, there will always be a threat of compromise and there must be a concerted effort to minimize this risk in the months to come.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at cybersecurity@schneiderdowns.com.

If you suspect or are experiencing a network incident, our Incident Response Team is available 24x7x365 at 1-800-993-8937.

Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Special Alert: Microsoft Releases Critical Update for Exchange Server
Cybersecurity BY Jacob Craft
Building a Strong Phishing Defense
Warning Signs of a Business Email Compromise Attack
Tax Implications of Cryptocurrency Transactions
Malwarebytes Hack – Dark Halo Strikes Again
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102