A threat actor commits a Mimecast certificate

Posted date 19/01/2021

The email management software provider, Mimecast, has reported that one of its issued certificates, intended to authenticate its Mimecast Sync and Recover, Continuity Monitor and IEP (Internal Email Protect) products for connecting to Microsoft 365 Exchange Web Services, has been compromised by a sophisticated threat actor.

It has been confirmed that only 10% of its customers use this type of connection and less than 10 of them have been of interest to the cybercriminal.

As a countermeasure, Mimecast has asked its customers to remove the connection within their M360 tenant and re-establish it with a new certificate.

The incident is currently being investigated by Microsoft and the police.

[Update 16/03/2021]

Following the completion of the forensic investigation by Mandiant, Mimecast has reported that the perpetrator of the security incident is the same as the one identified with the SolarWinds cyberattacks.

The entry vector into the IT network was the SolarWinds Orion software supply chain, used by Mimecast, via the SUNBURST backdoor malware.

The cybercriminal, leveraging the Windows environment, gained access to subsets of email addresses, contact information and encrypted credentials (hash and salt) of customer accounts hosted in the US and UK with which connections are established from Mimecast's tenants to local and cloud services (LDAP, Azure Active Directory, Exchange Web Services, etc.). It also downloaded a limited number of source code repositories.

There is no evidence that the cybercriminal has accessed email or file content on behalf of customers and no evidence that the source code has been modified or has any impact on the company's products.

Currently, all compromised servers, which were peripherals of Mimecast's core IT infrastructure, have been replaced, the affected hash and salt credentials have been restored, and the source code continues to be analysed and monitored to prevent misuse.