Mimecast has disclosed that the hacker in the SolarWinds supply chain gained access to part of the company’s production grid environment and accessed certain Mimecast-issued certificates and related customer server connection information.
The hacker also accessed and downloaded a limited number of Mimecast’s source code repositories, but the company found no evidence of any modifications to its source code nor does it believe there was any impact on its products.
Following the disclosure of access to its production grid environment, Mimecast “removed and blocked the threat actor’s means of access,” it said in an incident report on Tuesday. “All compromised systems were Windows-based and peripheral to the core of our production customer infrastructure. We completely replaced all compromised servers to eliminate the threat.”
Mimecast was one of SolarWinds’ customers, whose systems were impacted by the attack through infected updates of SolarWinds Orion software. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.
Password hashing involves putting a password through a hashing algorithm that converts plain text into an unintelligible series of numbers and letters, while salting refers to the process of adding a series of random characters to a password before going through the hashing function.
The investigation carried out by Mimecast revealed suspicious activity within a segment of its production grid environment containing a small number of Windows servers. The lateral movement from the initial access point to these servers is consistent with the mechanism described by Microsoft and other organizations that have documented the attack pattern of this threat actor.
“We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast said. “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service,” it added.
Having completed its forensic investigation with Mandiant this month, Mimecast notified affected users and partners under certain regulations. “We are resetting the affected hashed and salted credentials as a precautionary step,” it added.
The investigation revealed that the threat actor accessed and downloaded Mimecast’s source code repositories, in the same manner as was reported to have been done with other victims of the SolarWinds Orion supply chain attack.
Forensic analysis of all customer-deployed Mimecast software confirmed that the build process of the Mimecast-distributed executables was not tampered with, Mimecast added. Mimecast recommended that customers in the US and UK should reset any server connection credentials in use on the platform as a precautionary measure.
Mimecast is also in the process of implementing a new OAuth-based authentication and connection mechanism between its own and Microsoft technologies, which will provide enhanced security to Mimecast Server Connections. “We will work with customers to migrate them to this new architecture as soon as it is available,” the company said.
U.S. security agencies have been tracking, assessing, and mitigating the SolarWinds supply chain cyber incident since December, which was likely caused by an APT actor, who may be deeply burrowed in compromised networks, and full eviction will be costly, highly challenging, and complex, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Once inside the network, the threat actor bypassed multi-factor authentication (MFA) and moved laterally to Microsoft cloud systems by compromising federated identity solutions, the agency said. The hackers targeted and gained persistent, invasive access to select organizations’ enterprise networks, their federated identity solutions, and their Active Directory or Microsoft 365 environments.