Mimecast attributes supply chain attack to SolarWinds' hackers

UPDATE: Jan. 26, 2021: Mimecast, after launching an internal probe into a supply chain attack against it's authentication certificates, said the threat actors are the same group behind the nation-state attack against SolarWinds, in a blogpost released Tuesday.

The threat actor gained access and possibly exfiltrated some encrypted service account credentials created by customers hosted in the U.S. and U.K., the email security provider said.

The credentials establish connections between Mimecast tenants and a number of on-premise and cloud services, including LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMTP-authenticated delivery routes, according to the post.

While Mimecast is not aware if those credentials have been decrypted or misused, customers hosted in the U.S. and U.K. should reset their credentials as a precaution, the company said Mimecast has taken actions to isolate and remediate the threat.

Dive Brief:

A sophisticated attack designed to compromise Mimecast authentication certificates, comes weeks after the nation-state attack against SolarWinds Orion, raising concerns that analysts warn could undermine trust in the U.S. IT supply chain.
Mimecast, a provider of email security to thousands of customers worldwide, has been hit by a sophisticated supply chain attack that effectively hijacked the connections to about 10% of its customer base, according to Tuesday's regulatory filing by the company.
The attack was highly significant as malicious actors were able to compromise legitimate software processes in order to infect customers of these companies, Jon Clay, director of global threat communications at Trend Micro, said via email.

Dive Insight:

The Mimecast attack represents the most recent of a series of sophisticated attacks that some analysts fear could raise further questions about the overall integrity of critical supply chain relationships.

"They have undermined the trust that was in place between customer and vendor and the processes in place to manage the collaboration between the two entities," Clay said. "While supply chain attacks are not new, we will likely see more investment by malicious actors in using this technique to gain access to a much larger set of victims than going after individual victims."

Microsoft recently informed Mimecast that a sophisticated threat actor had compromised a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor and IEP Products to Microsoft 365 Exchange Services, according to Mimecast.

"We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor," a Microsoft spokesperson said in a statement. "This certificate enables their customers to connect certain Mimecast applications to their M365 tenant."

The spokesperson said Microsoft will block the certificate starting Monday.

Such a certificate compromise can allow a malicious actor to eavesdrop or infiltrate the target's Microsoft 365 Exchange Web Server, which would allow the attackers to extract confidential communications or other information, according to a blogpost by Venafi.

Beyond the immediate fear of a man-in-the-middle attack involving intercepted communications, the incident raises larger implications arising from stolen private keys and SSL certificates, according to Ax Sharma, senior security researcher at Sonatype.

"The stolen certificate and private key could easily have been used to cryptographically sign software binaries tainted with malicious code, with Mimecast's forged seal on it, to give off the impression that these were legitimate packages coming from the company," Sharma said via email.

This goes to the heart of what a software supply chain attack looks like, as was seen during the SolarWinds attack, Sharma said.

Mimecast said about 10% of its customers use the connection. Out of those that do use it, a low single digit number of its customer's Microsoft 365 tenants were targeted, the company said. Those customers have already been contacted to remediate the problem.

"As a precaution we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we've made available," the company said in the statement. "Taking this action does not impact inbound or outbound mail flow or associated security scanning."

The company, founded in the U.K. in 2003, had more than 39,200 customers globally as of Sept. 20, 2020, and protected millions of employees of those companies, according to a filing with U.S. regulators.

Mimecast has retained a third-party forensics expert to help in the investigation and said it will work with law enforcement and Microsoft as appropriate.

The Wall Street Journal and Reuters have linked the attacks back to the suspected hackers behind the SolarWinds attack in December, but that link could not be independently confirmed. A spokesperson for the company described some of the recent coverage of the company as "speculative" and "sensational," however that person said the company would not provide any further comment beyond its official blog.