Mimecast: SolarWinds Attackers Stole Source Code

Cyber Security News

A new Mimecast update reveals the SolarWinds hackers accessed several “limited” source code repositories.

Hackers who compromised Mimecast networks as part of the SolarWinds espionage campaign have swiped some of the security firm’s source code repositories, according to an update by the company.

The email security firm initially reported that a certificate compromise in January was part of the sprawling SolarWinds supply-chain attack that also hit Microsoft, FireEye and several U.S. government agencies.

Attackers were found initially to have stolen a subset of Mimecast customers’ email addresses and other contact information, as well as certain hashed and salted credentials. However, in the most recent part of its investigation into the SolarWinds hack, Mimecast said it has found evidence that a “limited” number of source code repositories were also accessed.

However, the security vendor sought to downplay the impact of this access: “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service,” it said in a Tuesday update. “We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products.”

Update to Mimecast Investigation

In January, Microsoft discovered that attackers had compromised a Mimecast-owned certificate, used to authenticate Mimecast Sync and Recover (which provides backups for various mail content), Continuity Monitor (which monitors for email traffic disruptions), and Internal Email Protect (IEP) products to Microsoft 365 Exchange Web Services.

The threat actor used this certificate to connect to a “low single-digit number” of customers’ Microsoft 365 tenants from non-Mimecast IP address ranges. The attackers then leveraged Mimecast’s Windows environment to potentially extract customers’ encrypted service account credentials, hosted in the United States and the United Kingdom.

“These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” said Mimecast.

Initially, Mimecast had said there is no evidence that the threat actor accessed customers’ email or archive content – in its Tuesday update, the security firm reiterated this claim. However, the attackers’ access to source code could give them an inside look at various product components and other sensitive information. Further information about the type of source code accessed is not available other than Mimecast saying that the source code accessed by attackers was “incomplete;” Mimecast did not provide further information on the accessed source code when reached by Threatpost.

The company said it will continue to analyze and monitor its source code (by implementing additional security analysis measures across the source code tree) to protect against potential misuse. Since the start of the attack, Mimecast has issued a new certificate connection and advised affected customers to switch to that connection; as well as removed and blocked the threat actor’s means of access to the company’s affected segment (its production grid environment).

SolarWinds Hack: Consequences Continue to Play Out

SolarWinds attackers also nabbed source code repositories from Microsoft. The Microsoft repositories contained code for: A small subset of Azure components including those related to service, security and identity; a small subset of Intune components; and a small subset of Exchange components.

Mimecast’s update is only the latest in the widescale SolarWinds hack. Texas-based SolarWinds was the primary victim of the now-infamous cyberattack believed to be the work of Russian state-sponsored actors. During the attack, adversaries leveraged SolarWinds’ Orion network management platform to infect users with a backdoor called “Sunburst,” which paved the way for lateral movement to other parts of networks.

This backdoor was initially pushed out via trojanized product updates to almost 18,000 organizations around the globe—including high-profile victims such as the U.S. Department of Homeland Security (DHS) and the Treasury and Commerce departments—starting last spring. Other cybersecurity vendors – like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys – have also been targeted as part of the attack.

Once embedded, the attackers were able to pick and choose which organizations to further penetrate.

Since then, several strains of malware have also been discovered, which were associated with the attackers behind the SolarWinds hack. The malware families include: A backdoor that’s called GoldMax; a dual-purpose malware called Sibot and a malware called GoldFinder. In addition to Sunburst, which is the malware used as the tip of the spear in the campaign, researchers in January unmasked additional pieces of malware, dubbed Raindrop and Teardrop, that were used in targeted attacks after the effort’s initial mass Sunburst compromise.

Further Reading:

  • SolarWinds Hack Potentially Linked to Turla APT
  • SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Attack
  • Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
  • Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
  • Nuclear Weapons Agency Hacked in Widening Cyberattack
  • The SolarWinds Perfect Storm: Default Password, Access Sales and More
  • DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
  • FireEye Cyberattack Compromises Red-Team Security Tools