Mimecast has decommissioned its SolarWinds Orion software and replaced it with a Cisco NetFlow monitoring system after hackers compromised a Mimecast certificate used for Microsoft authentication.
The email security vendor on Tuesday became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.
SolarWinds told CRN the vast majority of its customers continue to operate the Orion Platform, and the company said it’s taking all appropriate steps to protect them. Mimecast declined to comment further on the switch from Orion to NetFlow, and Cisco and SolarWinds didn’t immediately respond to CRN USA requests for comment. Cisco NetFlow has since 1996 given visibility into how network assets are being used, with a focus on figuring out who is using the network, the destination of traffic, when the network is utilized, and the type of applications consuming bandwidth.
Since disclosing the hack before the market opened on 12 January, Mimecast’s stock is down US$6.77 (13.2 percent) to US$44.63 per share. The company this month completed its forensic investigation into the hack with the assistance of third-party forensics and cyber incident response experts at Mandiant, a division of FireEye. Mimecast on Tuesday made a three-page incident report available to the public.
Hackers with the Russian foreign intelligence service got into Mimecast by exploiting the backdoor in the Orion software the company had previously used. Once inside, the hackers downloaded Mimecast source code repositories and accessed and potentially extracted encrypted customer service account credentials establishing a connection from their Mimecast tenants to on-premises and cloud services.
The hackers also accessed email addresses and other contact information as well as hashed and salted credentials. Mimecast said it was required under certain regulations to notify affected customers and partners about some of the information the hackers had gotten their hands on. The company said it has also reset the affected hashed and salted credentials.
The source code downloaded by the hackers was incomplete and would be insufficient to build and run any aspect of the Mimecast service, according to the company. Mimecast isn’t the only victim to have its source code taken, with Microsoft admitting last month the SolarWinds hackers had downloaded some source code for its Azure, Exchange, and Intune cloud-based tools in an effort to find company secrets.
Microsoft notified Mimecast in January that hackers had used a compromised Mimecast certificate to connect to a low single-digit number of mutual customers’ Microsoft 365 tenants from non-Mimecast IP address ranges. Mimecast CEO Peter Bauer told investors Feb. 3 that five Mimecast customers were targeted by the SolarWinds hackers after the company’s certificate was compromised.
Mimecast declined to comment on what the SolarWinds hackers did after connecting to mutual customers’ Microsoft 365 tenants. The certificate compromised by the SolarWinds hackers was used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Product (IEP) products to Microsoft 365 Exchange Web Services, according to the company.
The hackers used the SolarWinds Orion compromise to gain access to part of Mimecast’s production grid environment, with suspicious activity occurring in a segment of the environment containing a small number of Windows servers. The lateral movement from their initial access point to these servers is consistent with both what Microsoft’s seen as well as what other organizations have documented.
The SolarWinds hackers then established additional access methods to the same segment of Mimecast’s production grid environment, the company said. The compromised systems were Windows-based and peripheral to the core of Mimecast’s production customer infrastructure, according to the company. Mimecast said it has completely replaced all compromised servers to eliminate the threat.
The company said it’s additionally in the process of implementing a new authentication and control mechanism between Mimecast and Microsoft technologies to provide enhanced security to Mimecast Server Connections. Mimecast said it’ll work with customers to migrate them to this new architecture as soon as it’s available.