Email security provider Mimecast published an update regarding a security incident that occurred earlier this year, in which a threat actor compromised some of the company clients' Microsoft 365 accounts using a Mimecast-issued digital certificate.
The investigation initiated after the breach showed that the attack was part of the larger SolarWinds supply-chain compromise and attackers used the Sunburst backdoor, a malware deployed by the SolarWinds hackers to roughly 18,000 SolarWinds customers via the tainted version the SolarWinds Orion software, to gain access to Mimecast’s network.
“We determined that the threat actor leveraged our Windows environment to query, and potentially extract, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes. We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” the company said.
Mimecast also confirmed that the threat actor stole some of its source code.
“The investigation revealed that the threat actor accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack, Mimecast said. “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products. We will continue to analyze and monitor our source code to protect against potential misuse.”
The company said it replaced all compromised servers to eliminate the threat.
Last month, Microsoft, which was also affected by the SolarWinds breach, revealed that the hackers stole a small portion of source code for its Azure, Intune and Exchange products. The tech giant stressed that the attackers did not gain access to any of its products or services, as well as the vast majority of source code.