More cybersecurity vendors e.g. CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks & Qualys are confirming being targeted in the infamous SolarWinds espionage attack.
The Mimecast certificate compromise reported earlier in Jan. is part of the massive SolarWinds supply-chain attack, the security firm has just confirmed.
Mimecast is by no means the only cybersecurity vendors being targeted.
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services had been “compromised by a sophisticated threat actor,” the email-protection company announced mid-Jan. That caused speculation that the breach was related to SolarWinds, which the firm confirmed in an update just this week.
Orion Software
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise & was perpetrated by the same sophisticated threat actor,” it revealed. “It is clear that this incident is part of a highly sophisticated large-scale attack & is focused on specific types of information & organisations.”
The SolarWinds espionage attack, which has affected several US Govt. agencies & many others, began with a ‘poisoned’ software update that delivered the Sunburst backdoor to around 18,000 organisations last Spring.
After that general attack, the threat players (believed to have links to Russia) selected specific targets to further infiltrate, which they did over several months. The compromises were 1st discovered in Dec.
Customer Information
Mimecast provides email-security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers.
The certificate in question was used to verify & authenticate those connections made to Mimecast’s Sync & Recover (backups for mailbox folder structure, calendar content & contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) & Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).
A compromise means that cyber-attackers could take over the connection, though which inbound & outbound mail flows, researchers explained. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services & steal information. In this case, it seems that credentials were lifted.
Investigation
“Our investigation also showed that the threat actor accessed, & potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the US & UK,” the company observed in its update. “These credentials establish connections from Mimecast tenants to on-premises & cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, & SMTP-authenticated delivery routes.”
It added, “Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the US & UK to take precautionary steps to reset their credentials.”
Customer Mitigations
The hack was brought to Mimecast’s attention by Microsoft (itself a SolarWinds victim), which has disabled the certificate’s use for Microsoft 365.
Mimecast has also issued a new certificate & is urging users to re-establish their connections with the fresh authentication. It said in the update that “the vast majority of these customers have taken this action.”
Mimecast outlined that about 10% of its customers used these affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised. The company went on to say that of these, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”
Targeted via Email
In addition, Malwarebytes last week confirmed that it too is a victim of the SolarWinds hackers – except that it was not targeted through the SolarWinds platform.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” it disclosed in a Tues. web posting.
Instead of using the SolarWinds Orion network-management system, the advanced persistent threat (APT) abused “applications with privileged access to Microsoft Office 365 and Azure environments,” the security firm commented — specifically, an email-protection application. However, data exfiltration occurred.
Not Related
When asked if the Mimecast email-protection application was the attack vector, the answer was no.
“Mimecast was not related to our incident,” a Malwarebytes spokesperson explained. “However, any 3rd-party application can be abused if an attacker with sufficient administrative privilege gains access to a tenant.
Because this threat actor goes to great lengths to be as stealthy as possible, it is critical to reduce the surface of attack by disabling unneeded on-premises and in the cloud applications while enabling granular logging for those that remain.”
Microsoft Azure
CrowdStrike caught a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses making abnormal calls to Microsoft cloud APIs.
“There was an attempt to read email, which failed as confirmed by Microsoft,” the company stated in a blog post in Dec. “As part of our secure IT architecture, CrowdStrike does not use Office 365 email.”
“They got in through the reseller’s access & tried to enable mail ‘read’ privileges,” a source told Reuters. “If it had been using Office 365 for email, it would have been game over.”
CrowdStrike declined to comment further on its attack.
‘Battered in SolarWinds Gale’
Mimecast joins FireEye in admitting actual damage from the attack. FireEye in Dec. said that it had been hit in what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker targeted & was able to access certain red-team assessment tools that the company uses to test its customers’ security.
The company soon confirmed that the attack was part of the SolarWinds supply-chain attack.
Other firms are like Malwarebytes – confirming having been targeted, but reporting no damage was done.
Qualys
“Qualys engineers downloaded the vulnerable/malicious SolarWinds Orion tool in our lab environment for testing, which is completely segregated from our production environment,” a spokesperson told Forbes just this week. “Qualys’ in-depth investigations have concluded that there was no successful exfiltration of any data, even though the test system attempted to connect to the associated backdoor.”
Fidelis announced in a blog post this week that it was also able to defeat the bad consequences from the attack.
“Our current belief, subject to change given additional information, is that the test & evaluation machine where this software was installed was sufficiently isolated & powered up too infrequently for the attacker to take it to the next stage of the attack,” the firm wrote.
Palo Alto Networks
Palo Alto Networks also stated it was able to block the attack internally.
After the poisoned update, “our Security Operation Center then immediately isolated the server, initiated an investigation & verified our infrastructure was secure,” told Forbes. “Additionally, at this time, our SOC notified SolarWinds of the activity observed. The investigation by our SOC concluded that the attempted attack was unsuccessful & no data was compromised.”
It is likely that other security firms will emerge as SolarWinds targets, says Ami Luttwak, CTO & Co-Founder of Wiz.
Puzzle
“Why are the SolarWinds hackers going after security companies? When you piece together the puzzle it becomes scary,” Luttwak commented.
“They are trying to feed the beast, the more power they have, it gives them more tools & capabilities to attack more companies & get their capabilities as well. If we think about how this all started, they were after the FireEye tools… it is like a game, they are attacking whoever has additional skills they can get.”
He concluded, “What does a company like Malwarebytes… have? Well… endless capabilities. Every sensitive computer out there runs a security agent, most of them even have a cloud portal that allows to run privileged commands on any computer directly.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/