Mimecast Acknowledges Source Code Breach Linked to SolarWinds Attack
In a recent disclosure, email security firm Mimecast announced that it fell victim to the state-sponsored attackers behind the SolarWinds breach, illustrating the ongoing risks associated with sophisticated cyber threats. The incident, detailed in their findings, revealed unauthorized access to some internal repositories, where attackers downloaded source code along with a subset of email addresses and hashed credentials.
Mimecast confirmed that the accessed source code was incomplete, making it insufficient for creating any operational components of their service. Significantly, the company found no evidence of tampering with the build processes of executables distributed to clients, suggesting that the immediate integrity of their service remained intact post-incident. This breach is notably tied to the broader SolarWinds Orion supply chain attack, impacting numerous organizations globally.
The scope of the compromise included the potential exfiltration of encrypted service account credentials belonging to customers in the United States and the United Kingdom. The attackers initially gained entry through the Sunburst backdoor, which was distributed via compromised updates in the SolarWinds software. Mimecast observed lateral movement within their environment consistent with the methodologies employed by the threat actor, reinforcing the challenges presented by sophisticated adversaries.
Despite the breach, Mimecast acknowledged that the number of affected customers remained low, estimating that only a small number of Microsoft 365 tenants were targeted. The attack was attributed to a group often referred to by designations such as UNC2452, Dark Halo, and Nobelium, with many attributing its origins to actor groups suspected to be based in Russia.
In response to the incident, Mimecast has taken significant countermeasures, including the complete replacement of compromised Windows servers, strengthening encryption algorithms for stored credentials, and enhancing certificate and encryption key monitoring. Furthermore, the company has decided to decommission SolarWinds Orion, opting for a NetFlow monitoring system as a more secure solution.
Given the complexity of these attacks, several MITRE ATT&CK tactics such as initial access, privilege escalation, and lateral movement were likely employed by the attackers, highlighting the critical need for robust cybersecurity frameworks. The incident serves as a stark reminder of the persistent risks posed by nation-state actors and the importance of maintaining vigilant security practices.
Mimecast has collaborated with Mandiant to conduct a thorough investigation and response strategy through this incident, completing their inquiry earlier this month. The implications of such breaches are profound, calling attention to the need for businesses to continuously evaluate their cybersecurity measures in light of evolving threats.
As cybersecurity incidents become increasingly sophisticated, organizations must remain proactive in understanding and mitigating risks. Following developments in this space is crucial for business owners seeking to safeguard their information assets and maintain operational integrity.
