The Mimecast certificate compromise reported earlier in January is part of the sprawling SolarWinds supply-chain attack, the security firm has confirmed.
Mimecast joins other cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys in being targeted in the attack.
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services had been “compromised by a sophisticated threat actor,” the email-protection company announced in mid-January. That caused speculation that the breach was related to SolarWinds, which the firm confirmed in an update this week.
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor,” it announced. “It is clear that this incident is part of a highly sophisticated large-scale attack and is focused on specific types of information and organizations.”
The SolarWinds espionage attack, which has affected several U.S. government agencies and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were first discovered in December.
Exfiltrated Mimecast Customer Information
Mimecast provides email-security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question was used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).
A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information. In this case, it appears that credentials were lifted.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom,” the company said in its update. “These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”
It added, “Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.”
Threatpost reached out for further information, but did not immediately receive a response.
Mimecast Customer Mitigations
The hack was brought to Mimecast’s attention by Microsoft (itself a SolarWinds victim), which has disabled the certificate’s use for Microsoft 365.
Mimecast has also issued a new certificate and is urging users to re-establish their connections with the fresh authentication. It said in the update that “the vast majority of these customers have taken this action.”
Mimecast said that about 10 percent of its customers used the affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised. The company went on to say that out of those, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”
Malwarebytes, CrowdStrike Targeted via Email
Meanwhile, Malwarebytes last week confirmed that it too is a victim of the SolarWinds hackers – except that it wasn’t targeted through the SolarWinds platform.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” it disclosed in a Tuesday web posting.
Instead of using the SolarWinds Orion network-management system, the advanced persistent threat (APT) abused “applications with privileged access to Microsoft Office 365 and Azure environments,” the security firm said — specifically, an email-protection application. No data exfiltration occurred, however.
When asked if the Mimecast email-protection application was the attack vector, the answer was no.
“Mimecast was not related to our incident,” a Malwarebytes spokesperson told Threatpost. “However, any third-party application can be abused if an attacker with sufficient administrative privilege gains access to a tenant. Because this threat actor goes to great lengths to be as stealthy as possible, it is critical to reduce the surface of attack by disabling unneeded on-premises and in the cloud applications while enabling granular logging for those that remain.”
Similarly, CrowdStrike caught a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses making abnormal calls to Microsoft cloud APIs.
“There was an attempt to read email, which failed as confirmed by Microsoft,” the company said in a blog post back in December. “As part of our secure IT architecture, CrowdStrike does not use Office 365 email.”
“They got in through the reseller’s access and tried to enable mail ‘read’ privileges,” a source told Reuters. “If it had been using Office 365 for email, it would have been game over.”
CrowdStrike declined to comment further on its attack.
Security Firms Battered in SolarWinds Gale
Mimecast joins FireEye in admitting actual damage from the attack. FireEye in December said that it had been hit in what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker targeted and was able to access certain red-team assessment tools that the company uses to test its customers’ security.
The company soon confirmed that the attack was part of the SolarWinds supply-chain attack.
Other firms fall into the Malwarebytes camp – confirming having been targeted, but reporting that no damage was done.
“Qualys engineers downloaded the vulnerable/malicious SolarWinds Orion tool in our lab environment for testing, which is completely segregated from our production environment,” a spokesperson told Forbes this week. “Qualys’ in-depth investigations have concluded that there was no successful exfiltration of any data, even though the test system attempted to connect to the associated backdoor.”
Fidelis meanwhile announced in a blog post this week that it was also able to thwart bad consequences from the attack.
“Our current belief, subject to change given additional information, is that the test and evaluation machine where this software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack,” the firm wrote.
And Palo Alto Networks also said it was able to block the attack internally.
After the poisoned update, “our Security Operation Center then immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” told Forbes. “Additionally, at this time, our SOC notified SolarWinds of the activity observed. The investigation by our SOC concluded that the attempted attack was unsuccessful and no data was compromised.”
It’s likely that other security firms will come to light as SolarWinds targets, according to Ami Luttwak, CTO and co-founder of Wiz.
“Why are the SolarWinds hackers going after security companies? When you piece together the puzzle it becomes scary,” Luttwak said via email. “They are trying to feed the beast, the more power they have, it gives them more tools and capabilities to attack more companies and get their capabilities as well. If we think about how this all started, they were after the FireEye tools… it’s like a game, they are attacking whoever has additional skills they can get.”
He added, “What does a company like Malwarebytes… have? Well… endless capabilities. Every sensitive computer out there runs a security agent, most of them even have a cloud portal that allows to run privileged commands on any computer directly.”
Further Reading:
- Malwarebytes Hit by SolarWinds Attackers
- SolarWinds Malware Arsenal Widens with Raindrop
- SolarWinds Hack Potentially Linked to Turla APT
- SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Attack
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!