Posted on January 13, 2021 at 6:51 PM
Mimecast Certificate Compromised in Supply-Chain Attack
Email management provider Mimecast revealed that hackers have breached and used a digital certificate is issued to target select customers.
The company provided details in a report and said the affected certificate was utilized by 10% of its entire customer base, which is about 36,100 customers.
Hackers used sophisticated tools in the attack
According to the published post, the hackers used sophisticated tools in the breach, and they are likely targeting a select group of customers who may use the compromised certificate to encrypt Microsoft 365 data. The company said it was made aware of the hacking incident by Microsoft.
When threat actors breach certificates, it gives them access to read and modify encrypted data as the data moves over the internet.
But first, the threat actor must have access to the monitoring of connections moving over the target’s network for that to happen. Generally, certificate breach requires access to highly secured storage devices which store data encryption keys. Such type of access generally needs insider access or deep-level hacking.
Mimecast offers email security services that customers can use on their Microsoft 365 accounts to allow them setup connections to Mimecast’s servers.
The certificate is important for the verification and authentication of the connections directed to Mimecast’s Sync and Recover. These include content from Microsoft 365 mailboxes or Exchange on-premises, calendar content, and backup for mailbox folder structure).
Mass-based email security vendor Lexicon, stated that the authentication certificate of its Internal Email Project (IEP) has been compromised as well.
Mimecast’s stock price falls slightly
And it seems the news of the breach has affected the stock price of Mimecast, as it went down from $51.40 per share to $49 per share yesterday, representing a 4.67% fall. Data shows the current price is the lowest it has traded since December 15.
When approached for more information about the breach and whether the threat actors are the same SolarWinds attack group, Mimecast declined to answer questions.
However, CISO at Thycotic Terence Jackson revealed that the certificates breached were utilized by Mimecast email security products.
He added that the products usually provide security services by accessing the Microsoft exchange servers of the customers.
And because the certificates were authentic, it would be easier for a threat actor to connect without any suspicion from the target.
Vice president of Solutions Architecture at Cerberus Sentinel Chris Clements stated that there would be additional steps needed for the threat actor to breach sensitive information.
He stated that the threat actors may not have identified the exact use case and nature of the compromised certificate. He also said that the certificate was utilized to authenticate from Mimecast servers directly to Microsoft 365.
Threat actors may have disabled Office 365
Vice president of threat intelligence at Venafi Kevin Bocek, said the threat actors may have possibly disabled Office 36’s Mimecast security completely to make sure that the email-based attack is more potent.
It will enable the hackers to have access to mails hosted on Office 365, which could block some services like alerts and threat protection.
An investigation into the incident is ongoing
“The security of our customers is always our top priority,” Mimecast pointed out in its statement issued yesterday. The company further revealed that it has engaged the services of a third-party to carry out a proper investigation into the incident. It also said it’s working closely with law enforcement and Microsoft to find out everything possible about the breach and future prevention methods.
A Microsoft spokesperson said the compromised certificate allows Mimecast’s customers to link some Mimecast apps to their M365 tenant. Microsoft said the company has asked for the Mimecast applications to be blocked on Monday, January 18, pending when the issues have been rectified.
But Microsoft 365 customers who are not utilizing Mimecast are not affected by the breach. The attack is similar to the one carried out on the SolarWinds network a few weeks ago because both of the attacks involved the use of third-party software to locate the target. However, it’s not clear whether the attack has any link with the SolarWinds attacks.