Another Day, Another Hack
A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, the Lexington, Mass.-based email security vendor disclosed Tuesday. Mimecast said the compromised certificate was used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365.
The company has asked customers using this certificate-based connection to Microsoft 365 to immediately delete the existing connection within their Microsoft 365 tenant. Customers should then re-establish a new certificate-based connection using a new certificate that Mimecast has made available, according to Mimecast.
“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning. “We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”
From the type of certificate likely compromised to the impact of this hack on Mimecast’s email security rivals to whether the attack is tied to the massive SolarWinds breach, here are five of the most important things to know about the Mimecast hack.
5. Microsoft Will Block Compromised Certificate Monday
Approximately 10 percent of Mimecast’s customers use the compromised connection to Microsoft 365 Exchange Web Services, according to the company. Of those that do, Mimecast said current indications are that a low-single-digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted.
Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue. The company was recently informed of the compromise by Microsoft, according to Mimecast.
Microsoft 365 customers not using Mimecast are unaffected by the compromise, according to a Microsoft spokesperson. At Mimecast’s request, Microsoft said it’s blocking the compromised Mimecast certificate on Monday, Jan. 18. Microsoft declined to answer questions from CRN about why the Redmond, Wash.-based software giant isn’t blocking the compromised certificate immediately.
4. Mimecast Rivals Area 1, Vade Secure Not Compromised
CRN reached out to eight other email security vendors in the wake of the Mimecast’s disclosure Tuesday morning to ask if they were dealing with similar compromises.
None of Area 1 Security’s certificates have been compromised recently, according to Oren Falkowitz, the Redwood City, Calif.-based company’s co-founder, chairman of the board and former CEO. Vade Secure has similarly not been compromised, according to Adrien Gendre, the Hen, France-based company’s chief product and services officer. Agari has also not seen any signs of compromise, according to a spokesperson for the Foster City, Calif.-based company.
Proofpoint, and Zix did not immediately respond to inquiries from CRN on whether or not they were compromised like Mimecast, while Barracuda, FireEye and Valimail declined to comment on the matter.
3. Mimecast Likely Hit By Hackers Who Attacked SolarWinds
Three cybersecurity investigators told Reuters Tuesday they suspected the hackers who compromised Mimecast were the same group that broke into Austin, Texas-based IT infrastructure management vendor SolarWinds as well as nearly 10 federal agencies. The investigators spoke to Reuters on the condition of anonymity to discuss details of an ongoing probe, according to the news organization.
Mimecast declined to answer CRN questions about whether the compromise was carried out by the same group who attacked SolarWinds. The U.S. Cyber Unified Coordination Group (UCG) said Jan. 5 that a Russian Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack. The Washington Post previously reported that the attack was carried out by the Russian foreign intelligence service.
In addition the FBI is investigating a mysterious postcard sent to FireEye CEO Kevin Mandia’s home days after FireEye found initial evidence of a hacking operation on federal agencies and private businesses, Reuters reported Tuesday. U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, according to Reuters.
2. Compromise Probably Involved Trusted SSL Certificate
While Mimecast did not say what type of certificate was compromised in the hack, BleepingComputer said the compromise most likely involved one of the Mimecast-issued Trusted SSL certificates customers have to install on their Exchange Client Access servers to secure the connection to the Microsoft 365 servers.
The regional certificates relative to customers‘ accounts must be uploaded to Microsoft 365 to create a server connection in Mimecast, according to BleepingComputer. One of these self-issued certificates was compromised or stolen, which BleepingComputer said potentially could have allowed the hackers to use it in man-in-the-middle attacks.
1. Mimecast Stock Plummets Following Hack Disclosure
Mimecast disclosed the security compromise in a four-paragraph blog post and filing with the U.S. Securities and Exchange Commission (SEC) before the market opened Tuesday. By midday, Mimecast’s stock had plummeted $5.54 per share (10.77 percent) to $45.86 per share.
That’s the lowest Mimecast’s stock has traded since Dec. 3, 2020. The stock price decline has shaved more than $350 million off the company’s valuation, which now stands at $2.93 million, according to Google Finance.