Suspected Russian hackers attributed to the worst supply chain attack breached email security provider Mimecast and affected a subset of its customers, the company said.
Although Mimecast did not associate the breach with state-sponsored SolarWinds hackers, three cybersecurity researchers with knowledge of the matter and who spoke on condition of anonymity confirmed the link to Reuters.
Additionally, the techniques and procedures used to breach the email security company were consistent with the activity of the SolarWinds hackers.
Mimecast said that Microsoft security experts notified the company about “a sophisticated threat actor” that hijacked its certificates used to connect to Mimecast customers’ Microsoft 365 Exchange products.
Mimecast products include anti-phishing email security tools capable of detecting malicious links and false identities. The breach adds to the growing list of victims and expanding attack vectors exploited by advanced persistent threat actor APT29.
Email Security Provider Mimecast Confirmed Breach, Reuters Blames SolarWinds Hackers
Mimecast said that 10% of its 36,000 customer base was affected by the certificate violation. However, the email security provider estimated that SolarWinds storage hackers were targeting only a “low single-digit number” of their Microsoft 365 tenants.
Threat actors hijacked the certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products for customers’ Microsoft 365 Exchange web services.
“As a precaution, we ask the subset of Mimecast customers using this certificate-based connection to immediately remove the existing connection within their M365 tenant and reestablish a new certificate-based connection using the new certificate that we have made available,” said the company in a statement posted online.
Although she declined to comment further, Mimecast spokeswoman Laura Barnes acknowledged the breach, adding that the email security provider was investigating the incident.
It is unclear how the SolarWinds hackers managed to compromise Mimecast, as neither Microsoft nor Mimecast provided additional details.
However, the email security company said in a statement that it hired an outside forensic expert, law enforcement and Microsoft to analyze the breach.
Terence Jackson, director of information security at Thycotic, says that “the certificates that were compromised were used by Mimecast’s email security products.”
“These products would access customers’ Microsoft 365 exchange servers so they could provide security services (backup, spam, and protection against phishing). Since these certificates were legitimate, an adversary could have connected without arousing suspicion to spy on and filter email communications. “
Weeks earlier, hackers at SolarWinds attempted to spy on cybersecurity company CrowdStrike using a Microsoft product reseller account.
Microsoft had warned that threat actors associated with the SolarWinds hacking campaign could use the environment of a compromised third-party vendor to target more customers.
Previously, SolarWinds hackers were found to be able to compromise the Security Assertion Markup Language (SAML) signing certificate to generate authentication tokens for the Microsoft cloud platform.
The cybercrime gang used the credentials obtained to authenticate to Microsoft Active Directory domain services to escalate privileges on the domain controller and spread laterally throughout the corporate network.
SolarWinds hackers used similar techniques against previous victims, including US corporations and government agencies such as the FBI, Treasury, Homeland Security, and departments of Commerce.
Although only a few customers were the target of the Mimecast data breach, the threat actors behind the SolarWinds hack are targeting high-value targets rather than attacking everyone.
Unless victims are identified, their role in the software supply chain determined and analyzed for additional indicators of compromise, a single victim breach could have serious implications, such as the SolarWinds hack or the FireEye hack. .
Commenting on the breach of the email security provider, Saryu Nayyar, CEO of Gurucul, says:
“The attack against Mimecast and its secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers who breached SolarWinds and multiple government agencies.”
He noted that the breach served as an example of the level of skill and tenacity that state-sponsored threat actors could apply to achieve their goals.
“Basic cybersecurity is not enough. Organizations should employ industry best practices and then go further with user education, programs to review and update their security, and implementation of best security solutions, including security analysis.
On the bright side, Nayyar notes that the advanced defenses employed against sophisticated nation-state hackers “should be more than enough to thwart the most common cybercriminal.”
Chris Hickman, Keyfactor’s chief security officer, pointed to a developing pattern of “leveraging crypto assets to gain access to the network and circumvent security controls.”
“These attacks have nothing to do with FireEye, SolarWinds or Mimecast; the disturbing trend that we are seeing is that these violations are becoming common, ”says Hickman. “The threat actors behind the attacks, whether they use the SolarWinds backdoor or another, are targeting certificates and credentials.”
He claims that companies were less interested in managing certificates and treating them as “just certificates” rather than crypto assets that play a crucial role in strengthening network security.
“Technology alone cannot prevent infractions like this; companies must ensure they have the correct controls and policies in place and follow industry best practices to defend against the evolving threat landscape, ”he continues.
The SolarWinds #hackers store has breached email security provider Mimecast, hijacking the certificate used to connect customers’ Microsoft 365 Exchange web services. #cybersecurity #respectdata
Hickman added that companies needed to rethink how they “manage and protect digital certificates and cryptographic keys” to ensure optimal security for themselves and their customers.