Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mimecast Says SolarWinds Hackers Stole Source Code

Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.

Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.

Mimecast was one of the several cybersecurity companies to confirm being targeted by the hackers who breached the systems of IT management solutions provider SolarWinds.

After compromising SolarWinds systems, the attackers, which have been linked to Russia, used their access to deliver malicious updates for SolarWinds’ Orion monitoring product to roughly 18,000 customers. A few hundred of these customers, including government and private organizations, were further targeted.

One of these targets was Mimecast, which learned about the intrusion from Microsoft. The tech giant had noticed that a certificate used by Mimecast customers to authenticate certain products with Microsoft 365 services had been compromised.

The investigation, conducted with the aid of FireEye’s Mandiant incident response unit, revealed that the hackers gained access to part of Mimecast’s production environment using the SUNBURST malware delivered via malicious Orion product updates.

The threat actor then managed to move laterally within the compromised environment, gaining access to various types of systems and information.

The compromised certificate discovered by Microsoft was used by the attackers to connect to the Microsoft 365 tenants of a “low single-digit number” of customers.

In addition, the hackers obtained encrypted service account credentials created by customers in the US and UK. These credentials, which are used for connections between Mimecast tenants and on-premises and cloud services, do not appear to have been decrypted or misused.

“We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast said in an incident report published on Tuesday.

However, the attackers did manage to gain access to a “subset” of email addresses and other contact information, as well as hashed and salted credentials. Impacted customers have been notified.

The investigation also showed that the attackers — similar to what they did in the case of other victims, including Microsoft — also accessed and downloaded “a limited number” of source code repositories.

“We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products,” Mimecast said.

In response to the incident, the cybersecurity firm rotated all impacted encryption keys and certificates, stopped using the Orion product, changed all employee and system credentials, enhanced authentication security, completely replaced all hacked servers, and rolled out additional security monitoring systems.

Related: Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers

Related: Everything You Need to Know About the SolarWinds Attack

Related: Many SolarWinds Customers Failed to Secure Systems Following Hack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.