Programming code background showing results of forensic investigation into SolarWinds hackers

Mimecast’s Forensic Investigation Found That SolarWinds Hackers Copied Limited Number of Source Code Repositories

A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.

The email security company had earlier disclosed that the threat actors accessed a single-digit number of Mimecast customers’ Microsoft 365 tenants after compromising the signing certificate used to “authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services.”

Forensic investigation reveals that SolarWinds hackers compromised Mimecast’s production environment

After concluding the forensic investigation, Mimecast discovered that SolarWinds hackers accessed its production environment containing a small number of Windows servers.

Subsequently, they stole encrypted service account credentials created by customers in the U.S. and the U.K.

The credentials were used to connect to Mimecast’s on-premise and cloud services such as “LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”

SolarWinds hackers also stole a subset of user account information

The attacker successfully accessed “Mimecast-issued certificates and related customer server connection information,” the company said.

“The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.”

Apart from the single-digit number of customers, the forensic investigation team did not find additional victims.

Stolen source code did not impact Mimecast products

Mimecast clarified that although SolarWinds hackers “downloaded a limited number of our source code repositories,” the final forensic investigation did not find evidence of “any modifications to our source code nor do we believe there was any impact on our products.”

Microsoft had earlier disclosed that SolarWinds hackers had downloaded limited portions of its Microsoft Azure, Intune, and Exchange source code.

However, the source code stolen by SolarWinds hackers was also incomplete to compromise any Mimecast service, the company said. Additionally, the forensic investigation concluded that that the “build process of the Mimecast-distributed executables was not tampered with.”

Mimecast also downplayed the threat posed by the compromised signing certificates used by only 10% of its 36,000-customer base.

Additionally, there was no evidence that the attacker actively accessed Mimecast’s email content and archives hosted by the email provider during the attack.

“Our investigation revealed suspicious activity within a segment of our production grid environment containing a small number of Windows servers. The lateral movement from the initial access point to these servers is consistent with the mechanism described by Microsoft and other organizations that have documented the attack pattern of this threat actor,” the forensic investigation reaffirmed.

The investigation also found other attack vectors used by SolarWinds hackers to maintain persistence on the victims’ cloud infrastructure. However, Mimecast confirmed that it successfully evicted SolarWinds hackers from its cloud infrastructure.

Mimecast also replaced SolarWinds Orion software with NetFlow network monitoring systems, rotated the compromised certificates and encryption keys, and installed host monitoring systems.

“It is certainly unnerving for businesses to see the large scale of SolarWinds and related attacks despite all the security controls in place by many organizations,” says John Morgan, CEO at Confluera. “The update from Mimecast’s reiterates the fact that the recent attack did not stop with the initial target. The breach led to hackers using certificates and keys that allowed them to impersonate a valid 3rd party, further perpetuating the attack beyond the Mimecast environment and affiliated systems. It is still too early to understand the full impact of this attack.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, says the report did not provide any new information regarding SolarWinds hackers’ activities.

“There doesn’t seem to be anything especially new or materially different in this latest report. It is well known that the adversaries were using their access via SolarWinds to perpetrate further attacks on specific targets. While the initial attack was aimed at SolarWinds, it’s clear that they had the notion to continue their attacks on cybersecurity vendors to continue the supply chain methodology. Taking source code and email access continues to be one the plays and it’s fortunate that the community has done a good job on coming together and sharing learnings to prevent more damage.”

However, Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), praised Mimecast and FireEye for cooperating in investigating the threat.

“Mimecast’s reporting provides some good news and one element that raises one’s eyebrow in that live-long-and-prosper style of Mr. Spock. The detailed level of cooperation and information exchange between two giants in the market is good for customers and their security.”

He also praised Mimecast’s remediation efforts which looked beyond the original security incident.

“In addition, Mimecast’s additional remediation steps show that they have look beyond that original incident and are trying to rule out any additional backdoor potentially installed during that attack. Here is the point that raises that said eyebrow. Host monitoring, system, and file integrity checks, change control, these are the essential security controls which should have been there in the first place and – once embedded into the assets and network – would have detected the intrusion, instead of being alerted by Microsoft days later. The measures taken will increase Mimecast’s cyber resilience.”