Mimecast acknowledged Wednesday that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer server connection information.
In an incident report, Mimecast researchers said the threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. The company said the threat actor also accessed and downloaded a limited number of its source code repositories, but Mimecast found no evidence of any modifications to its source code nor does it believe there was any significant impact on any Mimecast products.
“We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” the incident report said.
Mimecast said following an investigation in which it partnered with FireEye and law enforcement, the company eliminated the threat actor’s access to its environment. Mimecast recommends that customers hosted in the United States and United Kingdom reset as a precautionary measure any server connection credentials in use on the Mimecast platform.
"This update from Mimecast reiterates that the recent attack did not stop with the initial target,” said John Morgan, CEO at Confluera. Morgan said the breach led to hackers using certificates and keys that let them impersonate a valid third-party, further perpetuating the attack beyond the Mimecast environment and affiliated systems.
The Mimecast report also shows how critical lateral movement was to the overall attack, said Morgan. As with many modern attacks, after gaining initial access, the attacker moved from the point of access to the targeted servers via lateral movement. Morgan added that many organizations cannot detect these lateral movements which play a vital role in the effectiveness of modern attacks.
“Mimecast has shed light on the scope of the attack that spanned both on-premises and cloud servers,” Morgan said. “This should be a wake-up call for any organizations that have preconceived notions about the security of the servers based on its deployment models. It reiterates the need for organizations to adopt a security model that can detect and respond to threats in real-time across their entire environment.”
For the security industry at-large, the detailed level of cooperation and information exchange between two giants in the market bodes well for customers and their security, said Dirk Schrader, global vice president of security research at New Net Technologies. He said Mimecast’s additional remediation steps show that they have looked beyond the original incident and are trying to rule out any additional backdoor potentially installed during that attack.
“The measures taken will increase Mimecast’s cyber resilience,” Schrader said. “The job will be to maintain or even increase that resilience, and the monitoring for malicious activity from that particular threat actor remains only one part in the next months to come.”
Mimecast’s report contains all of the hallmarks of a good response from a company, said Chad Anderson, senior security researchers at DomainTools. He pointed out that the report includes a full public disclosure, remediation steps, and an after-action report detailing their investigation and steps taken.
“I applaud them for their moves to increase visibility across their infrastructure with additional monitoring and for completing the no-doubt large effort of replacing all user and employee credentials networkwide,” Anderson said. “Security teams and vendors should look to reporting like this from Mimecast and take notes as to how to properly respond to an incident. Personally, I would have hoped to see more companies involved in SolarWinds to be this responsive and forthcoming in their public incident reporting.”