Malwarebytes Finds SolarWinds Actors Accessed Parts of Its Network

By Bill Toulas / January 20, 2021

Malwarebytes was among the first high-profile firms of the long list of entities that were compromised by the SolarWinds supply chain attacks to admit it right away. As the security solutions provider explains, its internal investigation has yielded proof of abusive access to its Microsoft Office 365 and Azure environments, so there has been some compromise.

As Malwarebytes explains, however, the attacker appears to have accessed only a limited subset of internal email records. Moreover, the investigators found no evidence of access to production environments, so Malwarebytes users should still consider themselves unaffected by this.

Since over a month ago, Malwarebytes activated its incident response group and worked closely with Microsoft to mitigate potential risks. By looking deeply into API call logs and system alerts, they’ve found that someone managed to leverage a dormant email protection product within Office 365, which only had access to a limited subset of internal company emails. Also, because Azure isn’t used in Malwarebytes production environments, access to it cannot have affected software products.

Still, the company performed a thorough investigation of all source codes used, as well as the build and delivery processes. This unearthed no evidence of foul play, so Malwarebytes can confidently claim that while they were compromised, the risks for its clients are non-existent.

In the meantime, Symantec has discovered a new piece of malware that was used in the SolarWinds attacks, but only against targets who were of special interest to the threat actors. Called “Raindrop,” the malware delivered Cobalt Strike and helped the hackers move laterally in the compromised network. This malware features execution delay for obfuscation, as well as an AES and an XOR layer for two-stage payload encryption.

The fact that we’re seeing new toolset discoveries concerning the SolarWinds attacks even after over a month of vigorous investigations from multiple collaborating teams of experts tells us how complicated and extensive these attacks were. Certainly, there’s still a lot to be discovered, and it should be noted that the campaign is still considered active, so it has not been fully dealt with yet.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari