When security firm Malwarebytes announced last week that it had been targeted by the same attacker that compromised SolarWinds’ Orion software, it noted that the attack did not use SolarWinds itself. According to Malwarebytes, the attacker had used “another intrusion vector” to gain access to a limited subset of company emails.
Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency (CISA), said nearly a third of the organizations attacked had no direct connection to SolarWinds.
[The attackers] gained access to their targets in a variety of ways. This adversary has been creative… it is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.
Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft’s cloud services. Another of the Advanced Persistent Threat (APT)’s targets, security firm CrowdStrike, said the attacker tried unsuccessfully to read its email by leveraging a compromised account of a Microsoft reseller the firm had worked with.