fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Mimecast: SolarWinds Hackers Stole Some Of Our Source Code

Mimecast: SolarWinds Hackers Stole Some Of Our Source Code

Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year downloaded source code out of a limited number of repositories.

To breach Mimecast’s network, the attackers used the Sunburst backdoor, a malware distributed by the SolarWinds hackers to roughly 18,000 SolarWinds customers using the compromised auto-update mechanism of the SolarWinds Orion IT monitoring platform.

Some source code stolen during attack

“Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information,” Mimecast explained in an

incident report published earlier today.

“The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials.

“In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.”

The company believes that the source code exfiltrated by the attackers is incomplete and insufficient to develop a working version of the Mimecast service.

“We do not believe that the threat actor made any modifications to our source code,” the company added. “Forensic analysis of all customer-deployed Mimecast software has confirmed that the build process of the Mimecast-distributed executables was not tampered with.”

The SolarWinds hackers targeted only a small, single-digit number of customers’ Microsoft 365 tenants after stealing a Microsoft-issued certificate used for securing Microsoft 365 cloud synchronization server tasks, as the company initially disclosed in January.

Even though Mimecast did not disclose the exact number of customers who used the stolen certificate, the company said that roughly 10 percent of their customers “use this connection.”

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

Mimecast’s products are being used by over 36,000 customers, with 10% of them amounting to approximately 3,600 potentially affected customers.

Our investigation revealed suspicious activity within a segment of our production grid environment containing a small number of Windows servers. The lateral movement from the initial access point to these servers is consistent with the mechanism described by Microsoft and other organizations that have documented the attack pattern of this threat actor. We determined that the threat actor leveraged our Windows environment to query, and potentially extract, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes. We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers. – Mimecast

During the investigation, Mimecast discovered additional access methods established by the SolarWinds hackers to maintain access to compromised Windows systems on the company’s production grid environment.

After completing the incident investigation with Mandiant forensics experts, Mimecast says that it successfully cut off the threat actors’ access to its environment.

No evidence was found of email or archive content being accessed by the hackers during the attack.

Microsoft also said in February that the SolarWinds hackers downloaded source code for a limited number of Azure, Intune, and Exchange components.

Remediation actions

Mimecast reset all “affected hashed and salted credentials” after also recommending customers hosted in the US and the UK to reset any server connection credentials they use on the Mimecast platform.

The email security firm is working on a new OAuth-based authentication mechanism to connect Mimecast and Microsoft service platforms to further secure Mimecast Server Connections.

Mimecast also took several additional remediation measures after the security breach:

  • Rotated all impacted certificates and encryption keys.
  • Upgraded encryption algorithm strength for all stored credentials.
  • Implemented enhanced monitoring of all stored certificates and encryption keys.
  • Deployed additional host security monitoring functionality across all of our infrastructure.
  • Decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system.
  • Rotated all Mimecast employee, system, and administrative credentials, and expanded hardware-based two-factor authentication for employee access to production systems.
  • Completely replaced all compromised servers.
  • Inspected and verified our build and automation systems to confirm that Mimecast-distributed executables were not tampered with.
  • Implemented additional static and security analysis across the source code tree.

The SolarWinds hackers

The threat actor behind the SolarWinds supply-chain attacks is tracked as UNC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Unit 42), Dark Halo (Volexity), and Nobelium (Microsoft).

While its identity remains unknown, a joint statement issued by the FBI, CISA, ODNI, and the NSA says that it is likely a Russian-backed Advanced Persistent Threat (APT) group.

Around the time Mimecast disclosed their breach, cybersecurity firm Malwarebytes also confirmed that the SolarWinds hackers could access some internal company emails.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

Two weeks ago, SolarWinds revealed expenses of roughly $3.5 million through December 2020 from last year’s supply-chain attack. However, high additional costs are expected throughout the following financial periods.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us