The attackers who got into SolarWinds, accessed some of Microsoft’s source code, and broke into many other companies in last year’s supply chain compromise not only stole a Mimecast certificate used to authenticate customers, but also downloaded some of the company’s source code repositories.
Although the attackers accessed and downloaded the repositories, they did not modify any of the code on Mimecast’s own systems, the company said in an update on its investigation into the incident. Mimecast, an email security company with a long list of enterprise customers, first revealed the intrusion in January in the aftermath of the disclosure of the SolarWinds compromise and its after effects. At the time, Mimecast officials did not connect the incident to the SolarWinds intrusion and said only that the attackers had stolen one of its certificate and that Microsoft had notified the company that the certificate had been used to impersonate a small number of customers.
“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor,” the company said in January.
Since then, Mimecast has continued investigating the intrusion, with the assistance of Mandiant, the incident response firm that has investigated many of the incidents connected to the SolarWinds compromise. Mandiant was able to confirm that the Mimecast attack was in fact connected to the actors who had targeted SolarWinds, Microsoft and other tech companies and government agencies. The attackers gained access to a portion of the company’s production environment comprising Windows servers.
“Our investigation determined that the initial intrusion resulted from SUNBURST malware, the backdoor present in the compromised version of SolarWinds Orion software we had previously used in our environment,” Mimecast said in a report on the investigation Tuesday.
“We determined that the threat actor leveraged our Windows environment to query, and potentially extract, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”
“We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products.
Despite that access, Mimecast said it had no evidence that the attackers got to email content that the company stores for customers.
More concerningly, the attackers were also able to gain access to some of Mimecast’s source code repositories and download them. This is one of the same tactics that the attackers used in their intrusion at Microsoft, though in both cases the company’s said that the attackers did not modify the source code.
“The investigation revealed that the threat actor accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack. We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service,” the company said.
“We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products. We will continue to analyze and monitor our source code to protect against potential misuse.”
The company said that it had also completed a forensic analysis of all of the Mimecast software deployed to customers and confirmed that the build process had not been tampered with.