5 Security Vendors That Have Reported Cyberattacks Since December

Five cybersecurity vendors disclosed in recent weeks that hackers have attacked their internal systems, compromised their certificates or attempted to access their email accounts. Here’s a rundown of what happened when.

The Dominoes Keep Falling

An unprecedented number of cybersecurity vendors have disclosed in recent weeks that sophisticated hackers have attacked their internal systems, compromised their certificates or attempted to access their email accounts. Many of the attacks have been linked to the colossal SolarWinds campaign, where Russian hackers for months injected malicious code into the SolarWinds Orion network monitoring tool.

“This attack is much broader than SolarWinds, and I expect more companies will come forward soon,” Malwarebytes CEO Marcin Kleczynski wrote on Twitter Tuesday.

Microsoft was a common vector in many of the intrusions, with hackers attempting to hack one cybersecurity vendor through a Microsoft’s reseller Azure account to read the vendor’s Office 365 emails. Hackers gained access to internal company emails stored in Microsoft Office 365 for a second vendor and compromised a certificate used to authenticate several of a third vendor’s tools to Microsoft 365.

Here’s a rundown of how threat actors attempted to compromise five security vendors over the past seven weeks and what damage they were able to inflict.

CrowdStrike

The Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike said.

The Sunnyvale, Calif.-based endpoint security giant said it was contacted on Dec. 15 by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, CrowdStrike Chief Technology Officer Michael Sentonas wrote in a blog post Dec. 23.

The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and Sentonas said the hackers attempted to read the company’s email. That attempt was unsuccessful, Sentonas said, adding that CrowdStrike’s findings were confirmed by Microsoft. As part of CrowdStrike’s secure IT architecture, Sentonas said the company doesn’t use Office 365 email.

FireEye

FireEye blew the lid off what would become the SolarWinds hacking campaign Dec. 8 when the company said it was breached in an attack designed to gain information on some of the company’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information, the company said.

The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools itself or publicly disclose them. FireEye said the stolen Red Team tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available techniques like CobaltStrike and Metasploit.

FireEye hasn’t seen any evidence to date that any attacker had used the Red Team tools stolen from the Milpitas, Calif.-based threat intelligence vendor. Nonetheless, FireEye said it developed and publicly released more than 300 countermeasures so that its customers and the broader security community can protect themselves against these tools.

Malwarebytes

The Russian hackers behind the colossal SolarWinds attack gained access to a limited subset of Malwarebytes’ internal company emails stored in Microsoft Office 365.

The Santa Clara, Calif.-based endpoint security vendor said it received information Dec. 15 from the Microsoft Security Response Center about suspicious activity from a third-party application in its Office 365 tenant, Malwarebytes CEO Kleczynski wrote in a blog post Tuesday. The suspicious activity was consistent with the tactics and techniques of procedures of the hacker behind the SolarWinds attack.

Malwarebytes’ incident response group and Microsoft’s Detection and Response Team joined forces to perform an extensive investigation of both Malwarebytes’ cloud and on-premises environments for any activity related to the API calls that trigged the initial alert, Kleczynski said. Malwarebytes doesn’t itself use the SolarWinds Orion network monitoring tool that hackers for months injected malicious code into.

Mimecast

Mimecast said Jan. 12 that a sophisticated threat actor had compromised a Mimecast-issued certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services. The compromised certificate was used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365, the company disclosed.

Mimecast declined to answer CRN questions about whether its breach was carried out by the same group who attacked SolarWinds. But three cybersecurity officials told Reuters Jan. 12 they suspected the hackers who compromised Mimecast were the same group that broke into SolarWinds. The Washington Post reported that the SolarWinds attack was carried out by the Russian foreign intelligence service.

Approximately 10 percent of Mimecast’s customers use the compromised connection, according to the company. Of those that do, Mimecast said current indications are that a low-single-digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted. Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue.

SonicWall

SonicWall disclosed Friday night that highly sophisticated threat actors attacked its internal systems by exploiting a probable zero-day flaw on the company’s secure remote access products.

The Milpitas, Calif.-based platform security vendor said the compromised SMB-oriented Secure Mobile Access (SMA) 100 series product is used to provide employees and users with remote access to internal resources. SonicWall initially said its NetExtender VPN client tool was also exploited in the attack, but updated its guidance a day later to indicate NetExtender doesn’t have a zero-day vulnerability after all.

SMA 100 series administrators are advised to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet, SonicWall said Saturday. A day earlier, SonicWall told SMA 100 series partners and customers to either use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.