Cybersecurity vendors such as FireEye, Fidelis, Crowdstrike, Malwarebytes, Palo Alto Networks, and Qualys have confirmed that they have been targeted by the threat actors behind the SolarWinds supply-chain attack. Recently, Mimecast confirmed a security breach from the same threat actors involved in the SolarWinds incident. Mimecast is a well-known cybersecurity company for providing cloud-based email security for Microsoft Office 365 and Microsoft Exchange. It protects the organization by providing a secure email gateway on the cloud or on-premises email platform.
The espionage attack record starts with the SolarWinds Sunburst backdoor and later targets selected companies to further exfiltrate data.
The Mimecast attack was detected when the company received a notification from Microsoft that the issued certificate to Mimecast customers to authenticate Mimecast Sync and Recover Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services were compromised. Following the alert, the company disclosed that their investigation shows the threat actors could access and steal encrypted service account credentials that provide Mimecast tenants’ connections to on-premise and cloud service.
The exfiltrated data are from the customers based in the United States and the United Kingdom. These stolen account data include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes connections. The company also stated that only 10% of its customers were affected and there are no reports that the stolen encrypted accounts have been decrypted or abused.
Furthermore, Mimecast customers from the United States and the United Kingdom were instructed to delete the affected connection on their Microsoft 365 tenant, change their account credentials, and re-create a new certificate-based connection as part of the mitigation process.
The threat actors behind the sophisticated attack are suspected to be a Russian state-sponsored group that focuses on the specific organization and data theft.
The threat actors use multiple techniques to move laterally on the victim‘s network and retain a light malware footprint to hide their operations from the previous encounters. As of today, cybersecurity vendors are continuously following the tracks of the threat actors to gather further forensic evidence to protect the public and private organizations worldwide. Several campaigns were released that include the signatures and detections on the techniques used by the attackers. With the available information, companies should be able to proactively secure their environment from future attacks.