(TLP:CLEAR) Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)

Summary: Data protection software company Commvault has updated a cybersecurity advisory, originally sent in February, regarding unauthorized activity by a nation-state threat actor based on Microsoft’s visibility within Azure environments. Commvault continues to monitor cyber threat activity targeting the applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

Analyst Note: CISA believes the threat actor may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions. Commvault has provided recommended actions for SaaS customers who have deployed custom applications. Customers are encouraged to enforce least-privilege access with tightly scoped permissions, stay up to date with Microsoft threat bulletins and Commvault updates, and review EntraID audit logs using the IOCs. WaterISAC encourages members to verify if Commvault software is used by their utility and review the advisories and recommended actions as appropriate.

Original Source: https://www.commvault.com/blogs/customer-security-update

Additional Reading:

• Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)

Mitigation Recommendations:

• Notice: Security Advisory (Update)
• Updated Best Practices in Security for Azure Apps Configuration to Protect M365, D365 or EntraID Workloads

Related WaterISAC PIRs: 6, 6.1, 8, 11, 12