Security vendors Fidelis, Mimecast, Palo Alto Networks, and Qualys revealed that were also impacted by SolarWinds supply chain attack
The SolarWinds supply chain attack is worse than initially thought, other security providers, confirmed that they were also impacted. Mimecast, Palo Alto Networks, Qualys, and Fidelis confirmed to have installed tainted updates of the SolarWinds Orion app.
Mimecast was the first security provider of the above ones that disclosed a major security breach, it revealed that threat actors compromised its internal network and leveraged digital certificates used by one of its products to access the Microsoft 365 accounts of some of its customers.
“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.” reads the announcement published by Mimecast.
“Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted.”
Today, Mimecast published a new update to confirm that the incident was linked to the SolarWinds supply chain attack that resulted in the installation of tainted SolarWinds updates on its systems.
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.” reads the update.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom.”
Security experts from security firm NETRESEC revealed this week that security provider Qualys was also a victim of the SolarWinds attack.
Qualys confirmed to the media that a malicious version of the Orion software infected its systems.
Below the list of other impacted organizations shared by the experts:
- central.pima.gov (confirmed)
- cisco.com (confirmed)
- corp.qualys.com (confirmed)
- coxnet.cox.com (confirmed)
- ddsn.gov
- fc.gov
- fox.local
- ggsg-us.cisco.com (confirmed)
- HQ.FIDELIS (confirmed)
- jpso.gov
- lagnr.chevrontexaco.net
- logitech.local
- los.local
- mgt.srb.europa* (confirmed)
- ng.ds.army.mil
- nsanet.local
- paloaltonetworks* (confirmed)
- phpds.org
- scc.state.va.us (confirmed)
- suk.sas.com
- vgn.viasatgsd.com
- wctc.msft
- WincoreWindows.local
The above list includes Fidelis Cybersecurity and Palo Alto Networks, the former confirmed that attack but pointed out that attackers did not were able to deploy the second-stage payload.
Palo Alto Networks representative told Forbes that it detected two SolarWinds-linked incidents that took place in September and October 2020.
“Palo Alto said its own tools detected the malware by looking at its anomalous behavior, and so it was blocked.” reported Forbes. “Our Security Operation Center then immediately isolated the server, initiated an investigation and verified our infrastructure was secure. Additionally, at this time, our SOC notified SolarWinds of the activity observed. The investigation by our SOC concluded that the attempted attack was unsuccessful and no data was compromised,” the company said.
Other security firms that were impacted in the SolarWinds supply chain attack are FireEye, Microsoft, CrowdStrike (attackers were not able to breach the security firm), and Malwarebytes (company hacked by SolarWinds attackers in a separate incident).
To read the original article:
https://securityaffairs.co/wordpress/113893/security/solarwinds-hack-security-providers.html