Mimecast: SolarWinds hackers used Sunburst malware for initial intrusion

Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion.

Sunburst is the malware distributed by the SolarWinds hackers to roughly 18,000 customers SolarWinds customers using the compromised auto-update mechanism of the SolarWinds Orion IT monitoring platform.

Incomplete source code downloaded during attack

“Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information,” Mimecast explained in an incident report published earlier today.

“The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.

“In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.”

The company believes that the source code exfiltrated by the attackers is incomplete and insufficient to develop a working version of the Mimecast service.

“We do not believe that the threat actor made any modifications to our source code,” the company added. “Forensic analysis of all customer-deployed Mimecast software has confirmed that the build process of the Mimecast-distributed executables was not tampered with.”

The SolarWinds hackers targeted only a small, single-digit number of customers’ Microsoft 365 tenants after stealing a Microsoft-issued certificate used for securing Microsoft 365 cloud synchronization server tasks, as the company initially disclosed in January.

Even though Mimecast did not disclose the exact number of customers who used the stolen certificate, the company said that roughly 10 percent of their customers “use this connection.”

Mimecast’s products are being used by over 36,000 customers, with 10% of them amounting to approximately 3,600 potentially affected customers.

Our investigation revealed suspicious activity within a segment of our production grid environment containing a small number of Windows servers. The lateral movement from the initial access point to these servers is consistent with the mechanism described by Microsoft and other organizations that have documented the attack pattern of this threat actor. We determined that the threat actor leveraged our Windows environment to query, and potentially extract, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes. We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers. – Mimecast

During the investigation, Mimecast discovered additional access methods established by the SolarWinds hackers to maintain access to compromised Windows systems on the company’s production grid environment.

After completing the incident investigation with Mandiant forensics experts, Mimecast says that it successfully cut off the threat actors’ access to its environment.

No evidence was found of email or archive content being accessed by the hackers during the attack.

Remediation actions

Mimecast reset all “affected hashed and salted credentials” after also recommending customers hosted in the US and the UK to reset any server connection credentials they use on the Mimecast platform.

The email security firm is working on a new OAuth-based authentication mechanism to connect Mimecast and Microsoft service platforms to further secure Mimecast Server Connections.

Mimecast also took several additional remediation measures after the security breach:

  • Rotated all impacted certificates and encryption keys.
  • Upgraded encryption algorithm strength for all stored credentials.
  • Implemented enhanced monitoring of all stored certificates and encryption keys.
  • Deployed additional host security monitoring functionality across all of our infrastructure.
  • Decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system.
  • Rotated all Mimecast employee, system, and administrative credentials, and expanded hardware-based two-factor authentication for employee access to production systems.
  • Completely replaced all compromised servers.
  • Inspected and verified our build and automation systems to confirm that Mimecast-distributed executables were not tampered with.
  • Implemented additional static and security analysis across the source code tree.

The SolarWinds hackers

The threat actor behind the SolarWinds supply-chain attacks is tracked as UNC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Unit 42), Dark Halo (Volexity), and Nobelium (Microsoft).

While its identity remains unknown, a joint statement issued by the FBI, CISA, ODNI, and the NSA says that it is likely a Russian-backed Advanced Persistent Threat (APT) group.

Around the time Mimecast disclosed their breach, cybersecurity firm Malwarebytes also confirmed that the SolarWinds hackers could access some internal company emails.

Microsoft also said in February that the SolarWinds hackers downloaded source code for a limited number of Azure, Intune, and Exchange components.

Two weeks ago, SolarWinds revealed expenses of roughly $3.5 million through December 2020 from last year’s supply-chain attack. However, high additional costs are expected throughout the following financial periods.