Malwarebytes email breached: The importance of incident response and transparent reporting
Due to the partnership between Coalition and Malwarebytes, we were given advance notice of an attack on Malwarebytes’ Microsoft Office 365 and Azure environment. Details of the attack can be found here. Coalition would like to applaud Malwarebytes for their quick response, thorough investigation, and commitment to transparency in sharing details.
Cyber attacks are a fact of life, and this positive handling of the situation reinforces our commitments both to using Malwarebytes as our own endpoint detection & response (EDR) solution, as well as recommending their service to our policyholders.
Malwarebytes provides endpoint security products and services, including anti-malware, malware incident response, and EDR. The company disclosed an attack, perpetrated by the same Nation State Actor implicated in the recent breach of SolarWinds, in which the attacker abused access to the company’s internal email hosted on Microsoft Office 365 and Azure. As a result, the attackers gained access to a limited number of internal company emails.
Luckily this compromise does not appear to have impacted Malwarebytes’ customers, and use of their software is still recommended. However, vigilance is always required as email is both a target and avenue for cyber attacks. Coalition’s data shows that organizations using Microsoft 365 are 3.2x more likely to experience a business email compromise (BEC), and we saw a 67% increase in the frequency of BEC from 2019 to 2020.
While attacks generally increase year over year, the shift to remote work and business disruptions related to COVID-19 provided ample opportunities for attackers. These uncertain conditions created by the pandemic will continue to impact businesses for the foreseeable future.
The details
Similar to the recently-disclosed Mimecast attack, the breach of Malwarebytes' internal email resulted from an attack against a technology provider in their supply chain. The attackers leveraged a feature of Microsoft Azure Active Directory (Azure AD) which allows credentials (permissions) to be assigned to third-party applications.
The process allows the assignment of elevated or privileged access, such as the ability to read emails in order to integrate services like malware scanning. The attack abused this privileged access to gain access to Malwarebytes’ internal emails via an API designed for these service integration. Malwarebytes was alerted to the suspicious activity by Microsoft’s Security Response Center and took action to investigate the scope of the breach and rule out possible compromise of Malwarebytes’ customer-facing software.
This attack relied on a legitimate but often-misconfigured feature of Microsoft’s Azure cloud services. Service accounts acting on behalf of users or other applications offer useful functionality, such as extracting information from emails to be used in customer relationship management systems. However, it is possible to abuse the access they provide, and in this case, it appears the attacker was able to leverage a self-signed certificate to grant themself elevated permissions, which allowed them to read internal email from Malwarebytes' Microsoft 365 tenant.
Model behavior
This attack highlights a fundamentally uncomfortable truth about modern digital business (and our increasingly digital lives, as well) — it’s not a matter of if you come under cyber attack, but when. The attack could be advanced and pernicious, like the supply chain attacks against high-value government and Fortune 500 organizations using SolarWinds, but it can also be the result of low-effort phishing or ransomware designed to ensnare the unsuspecting or ill-prepared. Since we all have weaknesses in our digital defenses, it’s critical to highlight what went right in this situation: Malwarebytes' response.
Disclosing a breach or attack can be a challenge, but ignoring the situation, or worse (trying to cover it up), will always be worse. Even though it does not appear customers or customer data were affected, the proactive announcement and strong statement detailing the facts is model behavior for any company, especially one whose core mission is cybersecurity! Thorough investigation and sharing of facts is a feature of a well-run security program, not a bug. Imagine how hard it would be to place trust in a company that does not value transparency, own up to problems it encountered, or worse yet: tries to spin a bad situation. Coalition commends Malwarebytes for their timely and transparent communication of this attack. This is an example of the right thing to do when it comes to investigating and sharing information related to cyber attacks, and demonstrates a serious commitment to security best practices. Malwarebytes continues to be a trusted partner to Coalition, and a valuable tool offered to our policyholders. For more details and to access your Malwarebytes discount for being a Coalition policyholder, log in to your policyholder dashboard.
Recommendations
The good news is that for most organizations, there is no follow-up action required, since Malwarebytes has indicated that neither customer data nor their customer-facing products were compromised. As part of their insurance policy, Coalition policyholders receive the benefit of our continuous scanning process, access to our scanning platform, and a proactive threat intelligence team that monitors for infection signals. We haven’t detected any policyholders affected at this time by this attack. In the interest of learning from other’s experiences, there are lessons here. As with all recent supply chain attacks, it’s worth checking what software, tools, and vendors your organization relies on, and ensuring you have robust detection mechanisms in place to identify suspicious activity, such as Coalition’s Attack Surface Monitor (ASM). Open lines of communication to all vendors in your supply chain are crucial to facilitate the exchange of information when an attack does occur. Responding to incidents is also important, so review your policies and procedures to ensure you take incident reports seriously, deal with them quickly, and provide transparency to your business partners and customers. For a technical deep dive on the particular Azure issues which were exploited in this attack, you can check out a presentation and blog post by security researcher Dirk-jan Mollema, as well as a blog post with suggestions for detecting compromises related to this issue by Jan Geisbauer. The US Cybersecurity & Infrastructure Agency also has recommendations on detecting malicious activity in your environment related to this vulnerability, and there is a free tool from security firm CrowdStrike designed to facilitate permission reviews.