Security vendors Fidelis, Mimecast, Palo Alto Networks, and Qualys confirmed that they were also impacted by the widespread SolarWinds hack, adding to the growing list of organizations known to have installed malicious versions of the SolarWinds Orion app.
This week, Mimecast, a secure email provider, has confirmed it had been targeted by the SolarWinds hackers. Mid-January, the vendor disclosed a security incident involving “a sophisticated threat actor” compromising one of its digital certificates and using it to gain access to some of the company clients' Microsoft 365 accounts.
In an update posted on Tuesday, the company said that they have found evidence that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” Mimecast said.
While Mimecast is not aware that any of the encrypted credentials have been decrypted or misused, it recommends users hosted in the US and the UK to reset their passwords.
According to researchers at security firm NETRESEC, the security provider Qualys was also a victim of the SolarWinds attack. Qualys has confirmed to the media that it did find trojanized Orion software on its systems, but said that impact was limited.
“Qualys engineers downloaded the vulnerable/malicious SolarWinds Orion tool in our lab environment for testing, which is completely segregated from our production environment. Qualys’ in-depth investigations have concluded that there was no successful exfiltration of any data, even though the test system attempted to connect to the associated backdoor,” the company’s spokesperson told Forbes.
Palo Alto Networks representative told the paper that the company detected two SolarWinds-linked incidents in September and October last year. Palo Alto said its own tools detected the malware by looking at its anomalous behavior, and it was blocked.
Another cybersecurity firm, Fidelis, has confirmed it was a target in the SolarWinds attacks. The company said that while it doesn’t use SolarWinds Orion software for management of its corporate systems it tests all kinds of software for compatibility with its products. An investigation revealed that in May the company had installed an evaluation copy of the trojanized SolarWinds Orion software on one of its test machines isolated from its core network.
“Though we have not identified any evidence to date that the SolarWinds compromise has impacted our networks, we will continue to investigate potential impacts using our own tooling much like we recommend our customers do,” Fidelis’ CISO Chris Kubic said in a blog post.
Last week, US cybersecurity firm Malwarebytes revealed it was targeted by the same threat actor who hacked IT software company SolarWinds last year. Malwarebytes said the intrusion was not related to SolarWinds software but rather to another attack vector that involves abusing applications with privileged access to Microsoft Office 365 and Azure environments.
