Mimecast Confirms Breach Linked to SolarWinds Cyberattack
Mimecast, a prominent cloud-based email management provider, disclosed on Tuesday that a “sophisticated threat actor” had compromised one of its digital certificates integral to secure connections with Microsoft 365 Exchange. This alarming revelation emerged after Microsoft notified Mimecast of potential vulnerabilities. In response, Mimecast has contacted affected organizations to initiate remediation efforts.
While details about the specific type of compromised certificate have not been extensively disclosed, it is known that Mimecast offers a spectrum of digital certificates tailored by geographic location, crucial for establishing server connections within Microsoft 365. Approximately 10 percent of Mimecast’s client base leverages this connection, and early indications suggest that only a small fraction of those accounts were explicitly targeted.
Mimecast specializes in providing email security and a continuity platform for Microsoft Exchange and Office 365, aimed at mitigating risks from threats such as spam, malware, and phishing. The specific certificate that has come under scrutiny is essential for verifying and authenticating Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products with M365 Exchange Web Services. The fallout from this breach could potentially facilitate a man-in-the-middle (MitM) attack, allowing adversaries to hijack connections, intercept email communications, and extract sensitive information.
To combat further threats, Mimecast has advised its customers to promptly delete their existing connections to Microsoft 365 and establish new, secure connections utilizing an updated certificate provided by the company. This precautionary measure is designed to safeguard against any future exploitation of the compromised certificate, with Mimecast reassuring clients that this action will not disrupt mail flow or associated security scanning.
An ongoing investigation is currently assessing the full impact of the breach, with Mimecast committing to collaborate closely with Microsoft and law enforcement on this issue. Reports from Reuters have indicated that the attack on Mimecast is linked to the notorious SolarWinds hack, suggesting that the same group responsible for breaching the U.S. software firm also executed this intrusion.
In an updated communication, Mimecast confirmed the link to SolarWinds and informed affected organizations, particularly those in the U.S. and the U.K., to reset their credentials as a precautionary step. The investigation has revealed that the threat actor accessed and possibly exfiltrated encrypted service account credentials created by U.S. and U.K.-based clients, which are used to link Mimecast systems with various on-premise and cloud services such as LDAP and Azure Active Directory.
Given the nature of this breach, tactics from the MITRE ATT&CK framework such as initial access through exploitation of a trusted relationship, persistence via the compromise of authentication, and possible privilege escalation may have been employed. The incident underscores the growing scope of sophisticated cyberattacks targeting critical digital infrastructure.
That the attack affects not only Mimecast but has also been associated with breaches at other cybersecurity firms further intensifies concerns regarding the resilience of such technologies. As organizations navigate an increasingly complex threat landscape, the need for robust cybersecurity strategies has never been more pressing.
