Mimecast bins SolarWinds and compromised servers alike in wake of supply chain hack
Signs up for Cisco, says some encrypted creds were stolen
Email security biz Mimecast has dumped SolarWinds' network monitoring tool in favour of Cisco's Netflow product after falling victim to the infamous December supply chain attack.
In an incident report detailing its experiences of the SolarWinds compromise, Mimecast said it had "decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system".
On top of that, the email security firm also junked a number of "compromised" servers, while admitting that the potentially Russian attackers had "accessed a subset of email addresses and other contact information", "customer server connection information", and "encrypted and/or hashed and salted credentials" as well as viewing source code repositories and Mimecast-issued certificates.
Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff after profit surgeREAD MORE
"We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers," insisted the US-headquartered firm. It added that it had previously warned US and UK customers that the malicious people behind the hack had potentially accessed certain server connection credentials: "These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."
Having cleaned up the compromise with the aid of Mandiant, FireEye's incident response arm (and the first org to realise what had happened), Mimecast said it had rotated "all impacted certificates and encryption keys, deployed extra monitoring and verified its build systems".
The incident report laid out how much hassle the SolarWinds attackers caused. In addition, the loss of Mimecast as a customer won't have helped SolarWinds' cause. As the first major enterprise to confirm that it has junked SolarWinds in the wake of the supply chain attack, Mimecast could potentially lead the way for others to migrate from the beleaguered infrastructure monitoring 'n' management company.
Among SolarWinds' 18,000 Orion customers were various governments around the world, including the United Kingdom.
Govt impact of Solarwinds? It won't say
The UK government has steadfastly refused to answer The Register’s questions about the extent and impact of the SolarWinds compromise, even though it is public knowledge that some ministries and agencies were (and are) using Orion in their networks.
UK Cabinet Office spokesman tells House of Lords: We're not being complacent about impact of SolarWinds hackREAD MORE
It’s a policy decision not to talk about cyber security: even people charged with formally overseeing UK.gov have been told to bugger off and shut up whenever they’ve asked similar questions.
The National Cyber Security Centre, which doubles as the goalkeeper for other government departments whenever journalists start asking IT security questions, merely said it was "working closely with FireEye and international partners" – much as it stayed silent on the Hafnium Microsoft Exchange attacks until late last Friday afternoon. Even then it said nothing that the US hadn't already been bellowing from the heavens for a fortnight.
While the British government has publicly stuck its head into the sand, the leaders of the free world have been open and voluble about the SolarWinds compromise's effects. At least the American taxpayer knows where their dollars are being spent – and precisely how effective that spending is, too. ®