Mimecast Discloses Source Code Theft in SolarWinds Breach
A report issued by the security vendor reveals the SolarWinds attackers accessed several source code repositories.
Initially, it was discovered that attackers have stolen a subset of Mimecast customers’ email addresses and other contact information, as well as several encrypted credentials. Nevertheless, Mimecast revealed it has found evidence that a limited number of source code repositories were also accessed.
During our investigation, we learned that the threat actor used the SolarWinds supply-chain compromise to gain access to part of our production grid environment. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.
In a report update, the cloud security firm aimed to diminish the impact of the breach saying that the source code theft, more exactly – the one downloaded by the threat actor, was incomplete and wouldn’t be enough to build and run any feature of the Mimecast service. The company added they haven’t found any evidence that the hackers made any changes to their source code and believe their products haven’t been affected.
In January, Mimecast released a statement announcing that Microsoft discovered that a sophisticated threat actor had compromised a Mimecast-owned certificate, used to authenticate Mimecast Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365 Exchange Web Services.
Following the attack, Mimecast has issued a new certificate connection and advised affected customers to switch to that connection. Additionally, they removed and blocked the attacker’s access to the company’s affected segment.
The SolarWinds breach affected thousands of enterprise and government organizations. The hackers compromised the build system for the company’s Orion monitoring product, delivering malware to possibly thousands of organizations, including cybersecurity firm FireEye and several U.S. government organizations. This immediately created a global supply chain-based chain of compromise.
Mimecast says that hashed credentials are being reset, and all customers involved in the breach have been notified. The security vendor also upgraded its encryption algorithm for stored credentials and has removed SolarWinds Orion from its infrastructure. All impacted servers have been replaced.
We are in the process of implementing a new OAuth-based authentication and connection mechanism between Mimecast and Microsoft technologies, which will provide enhanced security to Mimecast Server Connections. We will work with customers to migrate them to this new architecture as soon as it is available.
The company said it will continue to analyze and implement further security measures across the source code tree to protect against potential exploitation.