A breach of email security and resilience company Mimecast was worse than first suggested in a January 12 blog by the company — with Mimecast admitting this week that the attackers downloaded company source code, accessed a production environment, and queried and “potentially” extracted encrypted service account credentials created by customers hosted in the US and the UK.” (That “potentially” may worry customers, suggesting a continued lack of full visibility despite the involvement of multiple third-party specialist investigators.)
Mimecast processes over one billion emails daily for 36,000+ customers. The stolen creds “establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”
Mimecast hack: SolarWinds attackers blamed
The attack was conducted by the “same sophisticated threat actor responsible for the SolarWinds supply chain attack”, Mimecast said, as further details about a far-reaching software supply chain attack — which resulted in the compromise of multiple US federal agencies and blue chips globally — continue to emerge.
“The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products. We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast added.
The fear of customers will be that the attackers subtly modified Mimecast source code, much as it did with SolarWinds itself, but the company said March 16 that “forensic analysis of all customer-deployed Mimecast software has confirmed that the build process of the Mimecast-distributed executables was not tampered with.”
Mimecast integrates with Microsoft Exchange, Office 365 and Google Apps to provide email security, archiving and continuity services in the event of primary email service outages.
It said it has completely replaced all compromised servers, rotated all impacted certificates and encryption keys, upgraded encryption algorithm strength for all stored credentials, decommisioned its SolarWinds Orion systems and replaced them with an alternative NetFlow monitoring system, expanded hardware-based 2FA for employee access to production systems.
“We are in the process of implementing a new OAuth-based authentication and connection mechanism between Mimecast and Microsoft technologies, which will provide enhanced security to Mimecast Server Connections. We will work with customers to migrate them to this new architecture as soon as it is available.