Mimecast’s certificate compromise was carried out by the same threat actor behind the SolarWinds attack and gave hackers access to customers’ on-premises and cloud services.
The Lexington, Mass.-based email security vendor said the SolarWinds hackers accessed and potentially exfiltrated encrypted customer service account credentials that established a connection from their Mimecast tenants to on-premises and cloud services. Federal officials said Jan. 5 the SolarWinds hack was carried out by a Russian Advanced Persistent Threat group for intelligence-gathering purposes.
The compromised service account credentials were created by Mimecast customers hosted in the U.S. and U.K., the company said, and gave hackers access to LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMTP-authenticated delivery routes of Mimecast customers. Mimecast, however, said it’s not aware of any of the encrypted credentials being decrypted or misused.
“It is clear that this incident is part of a highly sophisticated large-scale attack and is focused on specific types of information and organizations,” Mimecast said in a statement issued Tuesday morning. “We expect that additional organizations will learn or share that they were affected by the threat actor behind the SolarWinds Orion software compromise.”
Mimecast is advising customers hosted in the U.S. and U.K. to reset their credentials as a precautionary measure. The company declined to answer questions about how many customers had their service account credentials accessed and whether the hackers took advantage of the access they had to customers’ on-premises and cloud services.
Mimecast’s stock is down 36 cents per share (0.8 percent) to US$45.72 per share in trading shortly after the market opened Tuesday. Its stock is now down more than 11 percent from US$51.40 per share at the close of market Jan. 11, the day before the company said it had been breached.
SolarWinds traded at just US$14.53 per share at the close of market Monday, down 38.3 percent from US$23.55 per share the day before the hack became public.
Mimecast said it launched an internal investigation into the hack supported by leading third-party forensics experts and is coordinating its activities with law enforcement. The company said it has taken actions to isolate and remediate the identified threat, which it believes were effective, and will continue to examine and closely monitor its environment.
“We will continue to communicate updates directly to our customers if warranted,” Mimecast said. “While we are committed to transparency and sharing insights with our customers, there may be limits to the details we can provide at this time while elements of the investigation into this threat remain ongoing.”
The company first disclosed Jan. 12 that hackers had compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 Exchange Web Services. Mimecast at the time told customers to delete their existing connection within the Office 365 tenant and re-establish their connection using a new certificate from the company.
Mimecast said Tuesday the vast majority of its customers have taken this action, with Microsoft now disabling use of the former connection keys for all affected Mimecast customers. Microsoft told CRN Jan. 12 that it planned to block the compromised Mimecast certificate on Jan. 18 at Mimecast’s request. Approximately 10 percent of Mimecast’s customers used the connection compromised by hackers.
“Protecting our customers will always be our company’s top priority,” Mimecast said. “We have benefited from the expertise shared by others facing this threat, and we are committed to doing the same, based on our own experience, to create a more secure and resilient community.”
One network administrator who didn’t wish to be identified said the breach will most significantly impact customers who use Mimecast as a backup to Office 365 since that gives Mimecast access to everything Microsoft has. The network administrator hopes Mimecast releases more information to customers soon.
“I don’t even know what the problem is,” the network administrator said. “How do I know what to look for?”