Cybersecurity companies Mimecast and Qualys have apparently been targeted by the threat actor that breached the systems of IT management solutions provider SolarWinds as part of a sophisticated supply chain attack. Fidelis Cybersecurity has also confirmed being hit, but it’s unclear if it was specifically targeted.
Email security company Mimecast reported a couple of weeks ago that a sophisticated threat group had obtained a certificate provided to certain customers for authenticating its products with Microsoft 365 services. The company had learned about the incident from Microsoft.
Some experts believed at the time that the incident may be related to the SolarWinds breach, and Mimecast on Tuesday confirmed that the theft of the certificate was indeed related to the SolarWinds software compromise and carried out by the same hackers.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” Mimecast said in a blog post.
It added, “Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.”
SolarWinds said roughly 18,000 customers received a piece of malware named Sunburst through malicious updates for its Orion monitoring product, and a few hundred private and government organizations that represented an interest to the attackers received additional payloads. An analysis of command and control mechanisms used by Sunburst has allowed researchers to determine which organizations may have been specifically targeted by the hackers.
Based on such analysis, network forensics and security firm NETRESEC reported on Monday that one previously unidentified target of the SolarWinds hackers was information security and compliance company Qualys.
Qualys confirmed to SecurityWeek that it did find trojanized Orion software on its systems, but claimed impact was limited.
“As part of our standard research and engineering process our researchers downloaded and installed the impacted version of SolarWinds Orion software in a sandbox environment for evaluation. This sandbox environment is completely segregated from our production and customer data environments,” Qualys said. “Our security team conducted a detailed investigation and has confirmed there was no impact on our production environment.”
The analysis conducted by NETRESEC revealed nearly two dozen targets, including some major companies that have confirmed being hit, as well as several U.S. government organizations.
NETRESEC also uncovered data referencing “hq.fidelis,” which could be related to Fidelis Cybersecurity, a firm that provides threat detection and response solutions. Fidelis revealed on Tuesday that it also received a trojanized Orion update, but it currently does not believe that the attackers were able to deliver second-stage payloads. The company did not use SolarWinds products, but they were present on one machine as part of a software evaluation.
Other cybersecurity solutions providers that were targeted in the SolarWinds hack include Malwarebytes, FireEye, Palo Alto Networks, CrowdStrike, Microsoft, and Cisco. These companies either said that the attackers failed to achieve their goal or that impact was limited.