Mimecast dumps SolarWinds after hackers breached its network

Email security provider Mimecast has admitted that SolarWinds hackers managed to breach its networks and access source code repositories.

In a statement, the company said that investigations have confirmed that hackers used the SolarWinds supply chain compromise to gain access to part of its production grid environment.

“Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information,” the firm said.

Hackers also managed to access a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.

“In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products,” the company added.

Mimecast joins Microsoft in having source code accessed by SolarWinds hackers. Last month, Microsoft admitted that hackers had downloaded some source code for its Azure, Exchange, and Intune cloud-based tools.

Mimecast added that it had no evidence that the threat actor accessed email or archive content held by the company on behalf of its customers.

The company was notified by Microsoft in January that a certificate it provided to customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services had been compromised by a threat actor Microsoft was actively investigating.

These hackers used the certificate to “connect to a low single-digit number of our mutual customers’ Microsoft 365 tenants from non-Mimecast IP address ranges.”

Mimecast said that while evidence showed that this certificate was used to target only a small number of customers, it “quickly formulated a plan to mitigate potential risk for all customers who used the certificate”.

“We made a new certificate connection available and advised these customers and relevant supporting partners, via email, in-app notifications, and outbound calls, to take the precautionary step of switching to the new connection,” the firm said.

Since the incident, Mimecast has reset all affected hashed and salted credentials. It is also in the process of implementing a new OAuth-based authentication and connection mechanism between Mimecast and Microsoft technologies, “which will provide enhanced security to Mimecast Server Connections”.

“We will work with customers to migrate them to this new architecture as soon as it is available,” the company said in a statement.

Mimecasr has also confirmed that, as a result of the incident, it has decommissioned its SolarWinds Orion software and replaced it with a Cisco NetFlow monitoring system. This makes it first SolarWinds hack victims to publicly announce they’re ditching the network monitoring platform for a competing product.