SolarWinds Hackers Stole Source Code
Cyberwarfare / Nation-State Attacks
,
Forensics
,
Fraud Management & Cybercrime
Hackers Used Backdoor to Access Production Environment
Email security vendor Mimecast, which was targeted by the SolarWinds supply chain hack in January, reports in a Tuesday update that the hackers used the “Sunburst” backdoor as an initial attack vector to steal source code. But Mimecast says it “found no evidence of any modifications to our source code nor do we believe there was any impact on our products.”
See Also: Top 50 Security Threats
Mimecast reports that the hackers used the backdoor installed in SolarWinds’ Orion network monitoring tool to gain partial access to its production environment.
The Tuesday update also notes: “The threat actor accessed certain Mimecast-issued certificates and related customer server connection information. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.”
The company says it worked with FireEye’s Mandiant division and law enforcement agencies to remove the malware from its affected systems. It says it detected no suspicious activities taking advantage of the exposed data.
“We have now completed our forensic investigation with Mandiant and have eliminated the threat actor’s access to our environment,” the company says in the Tuesday update.
Sunburst is one of the two backdoors tied to the SolarWinds supply chain attack. The SolarWinds attack was brought to light on Feb. 13 by security firm FireEye, which discovered it while investigating a breach of its own systems.
Mimecast is the second company to report exfiltration of source code by SolarWinds hackers. In January, Microsoft reported that attackers accessed source code for undisclosed products, although it said the risk posed to customers was low.
Mitigation Efforts
Mimecast says its mitigation efforts occurred in three phases from January to March.
Hackers used Sunburst to compromise a certificate Mimecast uses for authenticating its products that are synced to Microsoft 365 Exchange Web Services. Microsoft, which notified Mimecast about the breach, revealed that hackers used the compromised certificate to infect a handful of Mimecast’s customers.
Mimecast then quickly changed the affected certificate and asked its customers to switch to the new certificate to prevent any attacks.
After working with Mandiant for the second phase of mitigation, the company realized Sunburst used the malicious certificate to gain access to its production environment containing a small number of Windows servers. The hackers then moved laterally through the Windows servers to extract encrypted account credentials created by some customers in the U.S. and the U.K, the report notes. “These credentials establish connections from Mimecast tenants to on-premises and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” according to Microsoft.
The third phase of malware mitigation was undertaken after an analysis revealed the hackers established additional entry points to Mimecast’s previously breached production environment. The hackers then accessed certain email accounts, hashed credentials and source code, the Tuesday report notes. Mimecast says it quickly blocked the threat actor’s means of access.
Because the attackers only downloaded a limited amount of source code, the theft did not cause any harm to the company, Mimecast says.
SolarWinds Victims
The supply chain attack is believed to have begun in March 2020 when SolarWinds started shipping the backdoored Orion network monitoring systems.
Up to 18,000 customers installed and ran the Trojanized software. Later, attackers launched follow-on attacks on nine U.S. government agencies and about 100 private sector firms, federal investigators say (see: White House Preparing ‘Executive Action’ After SolarWinds Attack).
The U.S. federal agencies investigating the SolarWinds supply chain attack have said it likely was part of a cyberespionage campaign conducted by a hacking group with ties to Russia. Russia has denied any involvement.