SolarWinds Hackers Stole Mimecast Source Codes
The hackers responsible for the attacks on Solarwinds gained access to Mimecast’s digital certificates, infiltrated the company’s internal network and stole the source codes of the product.
Back in mid-January 2021, representatives of Mimecast warned that an unknown hacker had one of its digital certificates. The attacker then abused it to gain access to some Microsoft 365 customer accounts.
The compromised certificate was used by several of the company’s products (Mimecast Sync and Recover, Continuity Monitor, and IEP) to connect to Microsoft’s infrastructure.
At the same time, it was reported that only 10% of customers used the above products with this certificate, and the attacker abused the certificate to gain access to only a few Microsoft 365 accounts. The company claimed that the number of affected customers is low and “unambiguous”, and all of them have already been notified about the incident.
Later it turned out that the compromise of the certificate was directly related to the hack of SolarWinds, since Mimecast was using an infected version of the Orion platform.
Accordingly, the certificate was abused by the same attackes that hacked SolarWinds.
As it became known now, hackers did gain access to other parts of the Mimecast intranet.
“All compromised systems were running Windows and were peripheral to the core of our production client infrastructure”, — the company writes.
Mimecast claims that in the end all compromised servers were replaced “to eliminate the threat,” and the investigation found no evidence that the attackers gained access to e-mail or archived content that the company stored on these servers for its clients.
However, the attackers still managed to get to the repository where the Mimecast code was located, from where, as it became clear now, some sources were stolen. The company said in a statement that the attackers stole only small parts of the code, but not codes of the entire projects.
“We believe that the source code uploaded by the attacker was incomplete and insufficient to create and run any aspect of the Mimecast service. We found no evidence that the attacker made any changes to our source code, and we do not believe that this could have any effect on our products”, — the company says.
Let me remind you that earlier the same thing happened with Microsoft. After SolarWinds was compromised, the source codes of the Azure, Intune and Exchange components were stolen from the IT giant. Microsoft representatives also assured that the leak would not affect the company’s products in any way, and the incident did not allow hackers to gain wide access to user data.
The SolarWinds hack is one of the largest supply chain attacks in history.
The attack on SolarWinds is attributed to an allegedly Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity).