U.S. cybersecurity company Malwarebytes is the latest victim in a string of attacks targeting top security firms. In a statement from the company, the hackers breached the internal systems by way of a dormant email protection product within their Office 365 tenant that allowed access to a limited subset of internal company emails.
Malwarebytes says they confirmed the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, Malwarebytes determined the attacker only gained access to a limited subset of internal company emails and found no evidence of unauthorized access or compromise in any of their internal on-premises and production environments.
"The Malwarebytes incident highlights that malicious actors are determined and will exploit any weakness in the system they can find - from out-of-use applications to the CEO’s email account. In this case, they gained access through a dormant email protection product," says expert Shimrit Tzur-David, CSO and co-founder of Secret Double Octopus, a provider of passwordless authentication.
"In this attack, exploitation of authentication mechanisms was likely a critical component of the long-term campaign. The hackers may have gained access to the underlying infrastructure by simply guessing common or weak phrases or using password spraying tactics and then went on to exploit the credentials or certificates they gained in order to breach the final victim’s systems," she says.
Poor authentication poses a huge risk to network security that can lead to enormous consequences, Tzur-David notes. "After all, over 80% of data breaches stem from compromised credentials. However, no amount of complex password policies can ever get rid of the biggest weakness enterprises face: the human factor. Of course, humans are not computers, and remembering long strings of complex passwords is difficult. As a result, many people reuse or employ weak passwords- a fact that hackers know and exploit to their advantage."
She adds, "Simply getting rid of passwords is not easy, but would stop hackers earlier in their tracks and lower the risk of being a target. Until then, enforcing better policies like educating employees and implementing MFA solution is crucial.