Malwarebytes Hack – Dark Halo Strikes Again

Malwarebytes is the fourth cybersecurity vendor hacked by the “Dark Halo” hacker group, the same group behind the attacks on SolarWinds, FireEye and Crowdstrike.

What makes these attacks so interesting is how the group uses different attack strategies for each company they target. The attack on Malwarebytes is a completely different attack, not related to the supply-chain based attack on SolarWinds which caused quite a stir last year. Similar to SolarWinds, Malwarebytes reported their products were not impacted by the hack following a complete investigation into their production environments. The SolarWinds hack proved to be devastating as multiple companies and organizations became compromised, including several departments within the U.S. Government. While the scope of this attack is smaller, it remains troubling how security vendors are being specifically targeted by Dark Halo in such a myriad of different ways.

A representative from Malwarebytes said “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”

Attackers were able to gain access to internal emails and so far, there has been no evidence of unauthorized access or compromise to the Malwarebytes production environments. The hackers first breached the system by getting past authentication measures employing methods such as password spraying or password guessing in combination with using an Office 365 email protection product which was lying dormant on the system. They then exploited a flaw within Azure to escalate privileges by assigning credentials to certain applications and then, using a self-signed certificate with credentials to a service account, were then able to authenticate, request, and obtain internal emails from within the company.

Due to the limited scope of this attack, Malwarebytes was able to bring the situation under control. They recommend securing any and all Azure tenants for any company using Azure to avoid a similar attack in the future, although this could be difficult to implement due to the fact there are many third-party applications that make it challenging to enumerate such tenants.

While this coordinated attack specifically targeting security vendors is concerning, it is heartening to see the security community come together and help one another in the wake of these incidents. Malwarebytes reports that there has been a lot of open communication with the other targeted companies which allowed them to share details and develop resolutions much faster. Now more than ever, there is a dire need for people to step up to the plate and harden their defenses.

Security vendor companies are just like any other company. There is a need for organizations to begin reviewing their infrastructure, conducting more rigorous penetration tests, and reassessing the third-party risk management applications and services they’ve come to rely on to protect themselves from such savvy attackers. The attacks in the recent days just prove that no matter what company or industry, there will always be a threat of compromise and there must be a concerted effort to minimize this risk in the months to come.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

If you suspect or are experiencing a network incident, our Incident Response Team is available 24x7x365 at 1-800-993-8937.

Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.