Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff after profit surge

Plus: British Mensa in data leak blunder, DARPA are Star Wars fans, Sonicwall patch out, and more


In brief Email security biz Mimecast not only fell victim to the SolarWinds hackers, leading to its own customers being attacked, it is also trimming its workforce amid healthy profits.

Last month Mimecast revealed that one of its cryptographic certificates was purloined by the same team that smuggled a hidden backdoor into SolarWinds' Orion network monitoring software.

Mimecast offers security services that plug into Microsoft 365 accounts, and someone with that certificate could therefore tap into Mimecast-Microsoft customer connections and steal information. What kind of info? Encrypted login details for Microsoft services, for instance. Here's how Mimecast put it:

The threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.

Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.

It added:

Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.

A new certificate has been issued. Connections by one in ten of Mimecast's 36,000 customers were at risk, we're told, and fewer than 10 were specifically targeted as a result of the hack. Those clients have been alerted.

In its third-quarter financial results for its 2021 fiscal year, released this week, Mimecast announced its profits had exploded to $10.8m, up from $200,000 a year ago. It also highlighted big customer wins during the period, which spans the three calendar months to December 31. Amid all this, Mimecast will be trimming its staff by four per cent, costing it $3.7m in restructuring.

"The company is also announcing that its Board of Directors approved a restructuring plan designed to align the company’s resources with its strategy," it said. "The restructuring plan, which includes a reduction of the company’s workforce by approximately 4 per cent, will permit the company to increase investment in strategic growth areas."

The brain boxes at British Mensa this week said they have investigated claims they've been hacked, and while their database of high-IQ members was not broken into, the website did suffer a SNAFU. "In the interests of transparency, we can confirm that there have been two separate incidents where limited personal data of a few members and officers of Mensa has been exposed for a short period of time in the forum area of our website," the org said in a statement. "Detail of these incidents have been passed to the Information Commissioner’s Office and we are continuing to liaise with them."

The group's website is down at the moment as a result of that probe, and is expected to return online early next week.

Apropos of nothing, the name of the chairman of British Mensa? Chris Leek.

Sonicwall fixes its firmware zero-day flaw

As we reported last week, Sonicwall's Secure Mobile Access (SMA) 100 Series boxes have a vulnerability that can be exploited by anyone who can reach them to hijack the gear, and now it's time to get patching. Because patches are now available.

"All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation," it warned. If you have one of the following with firmware 10.x, you need to apply a security update: SMA 200, SMA 210, SMA 400, or SMA 410 physical boxes, or a virtual SMA 500v system on Azure, AWS, ESXi, or HyperV.

The biz said it was alerted to the hole by security shop NCC Group on January 31. US-CERT has also issued an advisory, telling people to patch as soon as possible.

Some Raspberry Pi owners are a little miffed that the organization added a Microsoft package repo entry to its Debian-based operating system. The repo entry is included so that Visual Studio Code, an IDE recommended by the Pi foundation, can be installed from a single apt command. However, it also means checking for updates of any packages on a system will ping Microsoft's servers, even if VSC isn't installed, which some think is a step too far.

The foundation's staff don't see this as a problem because it simplifies the install of the IDE. If you don't like this arrangement, here are some ways to avoid checking Microsoft's repo during package updates.

Someone in the US military really likes Star Wars

The research wing of the US military, DARPA, has released the results of its reward program for vulnerability finders, dubbed the Finding Exploits to Thwart Tampering Bug Bounty, or FETT.

One goal of FETT was to check the effectiveness of DARPA's System Security Integration Through Hardware and Firmware (SSITH) project, using a mix of their own penetration testers and independents from security org Synack. Your humble vulture think it's safe to say the DARPA crew aren't Trekkies.

The three-month bounty program found 10 valid vulnerabilities in SSITH technology – a collection of microprocessors and software stacks from Lockheed Martin, MIT, and the like – seven of them critical and three high risk on the CVSS scale. Four have been patched, and work is underway on the rest.

“Knowing that virtually no system is unhackable, we expected to discover bugs within the processors but FETT really showed us that the SSITH technologies are quite effective at protecting against classes of common software-based hardware exploits,” said Keith Rebello, the DARPA program manager leading SSITH and FETT.

“The majority of the bug reports did not come from exploitation of the vulnerable software applications that we provided to the researchers, but rather from our challenge to the researchers to develop any application with a vulnerability that could be exploited in contradiction with the SSITH processors’ security claims. We’re clearly developing hardware defenses that are raising the bar for attackers.”

Beware SolusVM Debian, it might not be secure

Linux hosting provider RackNerd has warned that VPS customers running the Debian 10 template provided by SolusVM may be vulnerable to potential abuse. The Los Angeles-based hosting biz has found that the Debian 10 template from the SolusVM TDN, offered as an alternative to the more onerous manual installation process, creates an unexpected user account.

“When SolusVM’s team initially created the Debian 10 template and published it on the TDN, they failed to remove the default installation user ‘debianuser’ prior to creating the OS template based upon that installation,” the firm explained in an email to affected customers. “This resulted to two users being active on VPS’s deployed on this template, ‘root’ and ’debianuser.’

”The notice follows reports from other hosting providers like Florida-based Hosthatch that they’ve detected compromised “’debianuser” accounts in VMs running Debian from a SolusVM template. A discussion of the issue cites a Chinese blog post complaining about a similar VPS compromise at GreenCloudVPS last October that led the account to find a Monero mining program running without authorization on the “debianuser” account.

Among those discussing the vulnerability, it’s been suggested that the “debianuser” account has a weak default password, and may come with “sudo” installed, itself recently found to be vulnerable. Plesk, which oversees SolusVM, did not immediately respond to a request for comment.

Security begins at school

With schools suffering ever more ransomware infections as crims go after easy targets, IBM has put forward $3m in funding to see if the situation can be improved.

In December, the FBI warned about the increasing prevalence of attacks against schools, and so Big Blue commissioned a survey to identify where the weaknesses are. The results weren't great: more than half of teachers haven't had any computer security training, and 60 per cent of all staff weren't aware of security alerts about remote learning.

As a result Big Blue is offering six $500,000 grants to schools to get their security practices up to speed, and the program may be rolled out further based on the success or failure of the initial handouts. Schools have until March 1 to apply.

Cops can't get into crook's $60m BTC wallet

A convicted fraudster who surreptitiously installed cryptomining software on people's PCs has left German police stumped. The man has served his sentence for his crimes – a two-year stretch behind bars – and consistently refused to hand over the password for his Bitcoin wallet where it's assumed he kept his ill-gotten gains. With Bitcoin's current price surge, that wallet is now thought to contain more than $60m in digital cash, and the plod can't open it.

“We asked him but he didn’t say,” prosecutor Sebastian Murer told Reuters on Friday. “Perhaps he doesn’t know.”

Nevertheless, the criminal won't be getting his Bitcoin wallet back, the local cops claim: police have seized it, and continue to try to find a way to access the funds. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021