SolarWinds hackers stole source code from email security firm Mimecast

Representatives of the email security firm Mimecast have confirmed that the hackers responsible for the attack targeting SolarWinds were able to access their IT systems and download the source code from a small number of their repositories. This would have been made possible by the use of the Sunburst backdoor, the malware used by SolarWinds hackers that affected nearly 18,000 customers using SolarWinds Orion monitoring software.

Through a statement released a few hours ago, the company reported, “Using this entry point malicious hackers managed to access some certificates issued by Mimecast, as well as compromise information related to the client’s server connection.”

“The malicious hacker would have accessed a small subset of email addresses and other contact details, some hashed protected access credentials, as well as accessing and downloading a limited number of our source code repositories, although we can say that there is no evidence of arbitrary alterations in these resources,” the company adds.

The report ensures that the source code extracted by threat actors is incomplete and it is impossible to develop functional versions from stolen information: “Forensic analysis indicates that the process of building our executables was not altered.”

As users may remember, the hackers responsible for the SolarWinds supply chain attack managed to compromise the security of a small number of Microsoft 365 users after stealing a company-issued certificate in order to protect Microsoft 365 synchronization tasks. 

While Mimecast did not disclose the exact number of clients that used the stolen certificate, the release refers to 105 of the total affected users; Since Mimecast is employed by about 36,000 users, the total number of affected deployments could approach 3,600.

Mimecast’s internal investigation revealed some of the access methods used by hackers, which were shut down after detection. So far, no evidence has been found to suggest that threat actors have been able to access the content of affected users’ emails. It should be remembered that a couple of weeks ago Microsoft also confirmed that SolarWinds hackers also managed to download incomplete snippets of the source code from deployments such as Azure or Exchange, although the compromised material is also not enough to develop functional versions for subsequent attacks.

 Security measures established by Mimecast to mitigate the risks arising from this incident include:

  • Rotation of all affected certificates and encryption keys
  • Strengthening the updated encryption algorithm for all stored credentials
  • Implementation of enhanced monitoring protocols for all certificates and encryption keys
  • Implementation of additional host security monitoring features across the infrastructure

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.