Q&A: SolarWinds, Mimecast hacks portend intensified third-party, supply-chain compromises

By Byron V. Acohido

SolarWinds and Mimecast are long-established, well-respected B2B suppliers of essential business software embedded far-and-wide in company networks.

Related: Digital certificates destined to play key role in securing DX

Thanks to a couple of milestone hacks disclosed at the close of 2020 and start of 2021, they will forever be associated with putting supply-chain vulnerabilities on the map.

Remember how the WannaCry and NotPetya worms signaled the trajectory of ransomware, which has since become an enduring, continually advancing operational hazard?

Similarly, the SolarWinds and Mimecast hacks are precursors of increasingly clever and deeply-damaging hacks of the global supply chain sure to come.

Supplier trojans

Quick recap: SolarWinds supplies the Orion platform to some 33,000 enterprises that use it to monitor and manage their entire IT stack. On Dec. 8, security vendor FireEye reported that it had been compromised by a state-sponsored adversary; then on Dec. 13, FireEye and Microsoft published this technical report, disclosing how the adversary got in: via trojan malware, dubbed Sunburst, carried in an Orion software update sent to FireEye.

SolarWinds subsequently disclosed to the SEC that threat actors inserted Sunburst into the Orion updates issued to customers between March and June 2020. The threat actors, it was noted, were careful not to tamper with Orion’s source code.

Their goal was to slip undetected into the networks of SolarWinds customers, like FireEye and some 18,000 other organizations that received and accepted the  trojanized Orion version during that four month period. The infected entities included the U.S. Treasury, the U.S. Department of Commerce and at least 425 of the U.S. Fortune 500.

Common logic suggests that the threat actors — who were backed by Russia, according to U.S. intelligence officials — had to have either stolen or spoofed the digital certificate SolarWinds used to authenticate the software updates in question.

For decades, the cornerstone of IT security has been Public Key Infrastructure, or PKI, a system that allows you to encrypt and sign data, issuing digital certificates that authenticate the identity of users. The bad guys, of course,  know this; and they’ve put concerted effort into finding and exploiting anything that looks like a viable attack vector.

The big security challenge today is that large enterprises are rushing headlong to capture the benefits of agility and flexibility that cloud computing and edge-less networks offer. And in doing so, they are, at the same time, expanding the attack surface exponentially.

Certificate compromises

The Mimecast hack gave us a glimpse of threat actors innovating to take full advantage of fresh opportunities to maliciously manipulate digital certificates. Mimecast supplies email security systems to some 36,100 companies, many of whom have now migrated to Office 365 or G Suite.

On Jan. 12, the company disclosed that a Mimecast digital certificate relating to  Microsoft 365 Exchange Web Services had been “compromised by a sophisticated threat actor.” The hacked certificate was designed to verify and authenticate connections made to Mimecast’s Sync and Recover service, which automatically creates backups for email, calendar items and contacts.

By either stealing or spoofing Mimecast’s certificate, these threat actors cleverly put themselves in a position to gain access to inbound and outbound mail flows, intercept that traffic, and possibly infiltrate Mimecast’s customers’ Microsoft 365 Exchange Web Services, as well.

SolarWinds and Mimecast, much like WannaCry and Not Petya, are wakeup calls. Where we go from here remains to be seen. Last Watchdog had a lively discussion with Evan Dornbush, co-founder and CEO of Point3 Security, a supplier of gamified, cybersecurity training and talent screening, about the going forward implications. Here are excerpts edited for clarity and length.

LW: What do these hacks tell us about how companies are relying more so than ever on digital certificates – and whether they’re doing enough to keep their keys and certificates secure?

Dornbush: The big takeaway is that third-party risk is real and not likely to be measurable via a standard form or checklist. If you don’t have your own set of trusted personnel, you can vet a vendor’s processes, products, and people all day long but not get any closer to assessing the impact to your organization.

LW: What do these two high-profile disclosures tell us about the state of supply chain cyber exposures in today’s world?

Dornbush: The modern business tends to outsource increasing amounts of corporate assets. Web site hosting, mobile application development, email services, incident response, firewall monitoring, the list goes on and on. Businesses are target-able entities. The more vendors your company leverages, theoretically the more attack surface you have to account for. This is a bit scary because it is relatively easy to measure the costs and benefits under an assumption that these offerings provide a service. It’s harder to measure the costs if the service provider cannot maintain the service as expected.

LW: What trajectory do we seem to be on, with respect to supply chain exposures, generally, and digital certificate vulnerabilities, specifically?


Dornbush: Supply chain will remain a popular avenue because the attackers focus on the path of least resistance. In the physical world, attackers often opt for an ages-old ‘evil maid’ vector taking advantage of the fact that the support staff has trust and access but might not be trained, paid, or loyal enough to protect the employer. In a year already starting off with vast ideological differences, any employee, customer, or third-party service provider can be an ‘evil maid.’

LW: What positive security improvements are underway that will help blunt the trajectory of attacks like these?

Dornbush: When a flaw in a particular product is found, there is so much punditry, but what gets lost in the noise is that defense in depth is still a valid philosophy. Network segmentation and multiple layers of encryption might have perturbed the attackers in some of the more recent high profile hacks. The amount of interest in cybersecurity from today’s young people to take on this challenge is highly encouraging. At the end of the day, it’s your people who are there to assess the risk posed by external software and service providers. Your people make all the difference.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone