A nation state actor’s targeting of Commvault over the last few months may be part of a wider campaign against Saas companies’ cloud applications, CISA has warned.
The data management and security firm company has had a torrid time over the last few months.
As CISA warned this week, the firm has been “monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment.” The specific target appears to be Commvault's Metallic backup service.
Earlier this month Commvault said that Microsoft had first flagged suspicious activity by “a nation state actor” back in February. “
The actor was using “sophisticated techniques to try to gain access to customer M365 environments” it continued, and “may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments
Threat actors could have accessed “client secrets” for Commvault’s Microsoft 365 backup service hosted on Azure, the agency said. This could have given them unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.
Ominously, the agency added that it believes “the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”
The agency said it was “continuing to investigate the malicious activity in collaboration with partner organizations.”
In the meantime, customers are advised to hit the logs to check for unusual activity, including “deviations from regular login schedules”, and to conduct internal threat hunting.
Where customers have control of Commvault’s application secrets, they are advised to rotate them.
On prem customers are also advised to take precautions, including restrict access to Commvault management interfaces, hunt down path traversals and uploads, and apply patches.
Meanwhile, Commvault has rotated key staff. In March it announced Bill O’Connell as Chief Security Officer. O’Conell had previously held security briefs at Roche and ADP. Also in March, it appointed Ha Hoang as its new CIO. Hoang has previously been group VP of cloud engineering and infrastructure at UKG.
At the end of April, WatchTowr praised Commvault for its rapid response to a flaw in its Command Center environment.
The link has been copied!
