[BreachExchange] More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack

[Destry Winant]

https://www.securityweek.com/more-cybersecurity-firms-confirm-being-hit-solarwinds-hack

Cybersecurity companies Mimecast and Qualys have apparently been
targeted by the threat actor that breached the systems of IT
management solutions provider SolarWinds as part of a sophisticated
supply chain attack. Fidelis Cybersecurity has also confirmed being
hit, but it’s unclear if it was specifically targeted.

Email security company Mimecast reported a couple of weeks ago that a
sophisticated threat group had obtained a certificate provided to
certain customers for authenticating its products with Microsoft 365
services. The company had learned about the incident from Microsoft.

Some experts believed at the time that the incident may be related to
the SolarWinds breach, and Mimecast on Tuesday confirmed that the
theft of the certificate was indeed related to the SolarWinds software
compromise and carried out by the same hackers.

“Our investigation also showed that the threat actor accessed, and
potentially exfiltrated, certain encrypted service account credentials
created by customers hosted in the United States and the United
Kingdom. These credentials establish connections from Mimecast tenants
to on-premise and cloud services, which include LDAP, Azure Active
Directory, Exchange Web Services, POP3 journaling, and
SMTP-authenticated delivery routes,” Mimecast said in a blog post.

It added, “Although we are not aware that any of the encrypted
credentials have been decrypted or misused, we are advising customers
hosted in the United States and United Kingdom to take precautionary
steps to reset their credentials.”

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

SolarWinds said roughly 18,000 customers received a piece of malware
named Sunburst through malicious updates for its Orion monitoring
product, and a few hundred private and government organizations that
represented an interest to the attackers received additional payloads.
An analysis of command and control mechanisms used by Sunburst has
allowed researchers to determine which organizations may have been
specifically targeted by the hackers.

Based on such analysis, network forensics and security firm NETRESEC
reported on Monday that one previously unidentified target of the
SolarWinds hackers was information security and compliance company
Qualys.

Qualys confirmed to SecurityWeek that it did find trojanized Orion
software on its systems, but claimed impact was limited.

“As part of our standard research and engineering process our
researchers downloaded and installed the impacted version of
SolarWinds Orion software in a sandbox environment for evaluation.
This sandbox environment is completely segregated from our production
and customer data environments,” Qualys said. “Our security team
conducted a detailed investigation and has confirmed there was no
impact on our production environment.”

The analysis conducted by NETRESEC revealed nearly two dozen targets,
including some major companies that have confirmed being hit, as well
as several U.S. government organizations.

NETRESEC also uncovered data referencing “hq.fidelis,” which could be
related to Fidelis Cybersecurity, a firm that provides threat
detection and response solutions. Fidelis revealed on Tuesday that it
also received a trojanized Orion update, but it currently does not
believe that the attackers were able to deliver second-stage payloads.
The company did not use SolarWinds products, but they were present on
one machine as part of a software evaluation.

Other cybersecurity solutions providers that were targeted in the
SolarWinds hack include Malwarebytes, FireEye, Palo Alto Networks,
CrowdStrike, Microsoft, and Cisco. These companies either said that
the attackers failed to achieve their goal or that impact was limited.