IOTW: Another Solarigate Target Identified by Microsoft

Add bookmark
Seth Adler
Seth Adler
01/22/2021

Mimecast is the latest to be added to the list of corporations affected by the SolarWinds hacks, now being dubbed Solarigate.

Facts

During Microsoft’s investigation into the SolarWinds hack, they identified and informed yet another victim. Mimecast is a cloud-based email management system that incorporates security, archiving, and other services into the Office 365 platform. Of Mimecast’s 36,000 customers, it is estimated that 10% are affected by the hack. According to Mimecast, only a handful of those customers—allegedly a single digit number—were targeted. The nature of these targets has yet to be released, but it implies that the Russian operatives behind Solarigate may be picking and choosing specific high-value victims. On January 12, Mimecast released this recommendation to those affected:

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning.

The security of our customers is always our top priority. We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

Related: Nation State Cyber Security Behavior

In previous attacks associated with Solarigate, the network management software Orion was leveraged as a trojan horse by pushing malicious code through with legitimate updates and patches. However, Mimecast no longer uses SolarWinds services, which poses a new question. Did the Solarigate hackers gain access because of Mimecast’s past dealings with SolarWinds or via a completely unrelated method? Regardless, the unique tools and strategies of the hack leave cyber experts certain that the hack was carried out by the same group.

Specifically, CPO Magazine reports, “Earlier, SolarWinds hackers were found capable of compromising the Security Assertion Markup Language (SAML) signing certificate to generate authentication tokens for Microsoft’s cloud platform.

The cybercrime gang used the obtained credentials to authenticate on Microsoft Active Directory Domain Services to escalate privileges on the Domain Controller and spread laterally across the entire corporate network.”

Government and private sector entities hit by the SolarWinds hackers were also breached using similar tactics.

The Department of Homeland Security recently warned that the hackers were using other strategies beyond the Orion trojan horse to break into networks including password guessing and unsecured administrative credentials. For example, another breach occurred through a third-party vendor that resells Microsoft’s cloud-based software. From there, the hackers attempted to gain access to CrowdStrike Inc. emails. The cyber security vendor says the attack was unsuccessful. Microsoft warns that third-party vendors continue to be a target for the Solarigate hackers.

Related: The Ultimate Vendor Risk Assessment Checklist

Lessons Learned

As the list of victims continues to grow in what is the largest cyber attack in the United States, it is increasingly important for corporations and government to take additional security measurements. Basic best practices are no longer enough. Ongoing user training and testing along with deploying leading-edge cyber security technology help seal the leaks between standard cyber security measures and hacking opportunities.

Until enough organizations take heed and deploy such solutions, hackers will continue to grow emboldened and hacks like the SolarWinds hack will increasingly become a common occurrence.

Read More: Incident Of The Week