Cyber security firm themselves are lucrative targets for hackers. It is a matter of pride for them; their way of gloating that they caused a security breach at a company that itself provides safety such breaches. US-based cyber security company, Malwarebytes was attacked by the same hackers who’d initially targeted SolarWinds, an IT software company. After combatting the security breach, Malware has been very vocal about it. It has given details about the attack, which are worth studying if you are someone looking to raise cyber awareness within your organization.
How did this security breach impact Malwarebytes?
Malwarebytes has clarified that there isn’t any linkage between the original breach at SolarWinds. The security breach, as it quickly found out, came from a dormant O365 security app. Also, Malwarebytes realized it was not the only company targeted by this particular case of cyber-attack. In fact, Microsoft itself was in the process of revising the security measures of its Office 365 and Azure services, because these showed signed of an intrusion.
The intrusion operated using malicious apps created by the SolarWinds hackers, who’ve become infamous in the security world as UNC2452 or Dark Halo.
Malwarebytes originally became aware of the security breach through Microsoft’s Security Response Center (MSRC) back in December 2020. MSRC already suspected some illicit activities being carried out by taking advantage of dormant Office 365 security apps.
Soon after learning of the security breach, Malwarebytes launched a full scale internal investigation. They wanted to assess exactly how much damage the breach had caused. However, the investigation soon revealed that Dark Halo had only managed to hack into very few internal email accounts.
Taking cue from the SolarWinds breach, which had severly impacted SolarWinds supply chain products, Malwarebytes themselves performed a stringent audit of their products and source code.
“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments,” Marcin Kleczynski, Co-Founder and CEO Malwarebytes, said.
Dark Halo Method of Attack
The group UNC2452 or Dark Halo has been pretty active. They mainly attempt to extract email communication by monitoring weekly emails and operation patterns. They only relied on malicious payload as a last resort.
Their preferred way of gaining access was to breach email accounts that had Multi-Factor Authentication by trying to bypass it altogether. They used trickery and vulnerabilities in the way email servers used user sessions to get into the system. Post-attack logs of some of the companies struck by Dark Halo show that these hackers made a request to login using authentic email IDs they’d snicked from monitoring email communication, but were able to get in without providing the OTP required by MFA.
In the case of SolarWinds security breach, Dark Halo fiddled around with Microsoft Exchange’s data handling methods to steal email IDs which it then used to gain illegal access to the mailboxes.
Why Strong Email Security Matters
By reading about these cases, it must have become apparent, you can do everything right and still fall prey to an attack. This happens not because of cracks in the way email service providers enforce security, but because they add protection layers from the data first and then move up to the application and users. Logix believes stronger, more intuitive gatekeeping is a much better practice that can stop email threats at the entry level itself. This is how our Email ATP service has been designed, and has been stopping email threats efficiently for 19+ years in the security industry. Adapt to the trends in security, and opt for stronger third-party email security solutions, to prevent security breaches.
For more resources on security, visit our blog.