[BreachExchange] Mimecast Says SolarWinds Hackers Stole Source Code

Fri Mar 19 10:38:04 EDT 2021

https://www.securityweek.com/mimecast-says-solarwinds-hackers-stole-source-code

Email security company Mimecast on Tuesday said it completed its
forensic investigation into the impact of the SolarWinds supply chain
attack, and revealed that the threat actor managed to steal some
source code.

Mimecast was one of the several cybersecurity companies to confirm
being targeted by the hackers who breached the systems of IT
management solutions provider SolarWinds.

After compromising SolarWinds systems, the attackers, which have been
linked to Russia, used their access to deliver malicious updates for
SolarWinds’ Orion monitoring product to roughly 18,000 customers. A
few hundred of these customers, including government and private
organizations, were further targeted.

One of these targets was Mimecast, which learned about the intrusion
from Microsoft. The tech giant had noticed that a certificate used by
Mimecast customers to authenticate certain products with Microsoft 365
services had been compromised.

The investigation, conducted with the aid of FireEye’s Mandiant
incident response unit, revealed that the hackers gained access to
part of Mimecast’s production environment using the SUNBURST malware
delivered via malicious Orion product updates.

The threat actor then managed to move laterally within the compromised
environment, gaining access to various types of systems and
information.

The compromised certificate discovered by Microsoft was used by the
attackers to connect to the Microsoft 365 tenants of a “low
single-digit number” of customers.

In addition, the hackers obtained encrypted service account
credentials created by customers in the US and UK. These credentials,
which are used for connections between Mimecast tenants and
on-premises and cloud services, do not appear to have been decrypted
or misused.

“We have no evidence that the threat actor accessed email or archive
content held by us on behalf of our customers,” Mimecast said in an
incident report published on Tuesday.

However, the attackers did manage to gain access to a “subset” of
email addresses and other contact information, as well as hashed and
salted credentials. Impacted customers have been notified.

The investigation also showed that the attackers — similar to what
they did in the case of other victims, including Microsoft — also
accessed and downloaded “a limited number” of source code
repositories.

“We believe that the source code downloaded by the threat actor was
incomplete and would be insufficient to build and run any aspect of
the Mimecast service. We found no evidence that the threat actor made
any modifications to our source code nor do we believe that there was
any impact on our products,” Mimecast said.

In response to the incident, the cybersecurity firm rotated all
impacted encryption keys and certificates, stopped using the Orion
product, changed all employee and system credentials, enhanced
authentication security, completely replaced all hacked servers, and
rolled out additional security monitoring systems.