Suspected Russian hackers attributed to the worst supply chain attack breached email security provider Mimecast affecting a subset of its customers, the company said.
Although Mimecast did not associate the breach with the state-sponsored SolarWinds hackers, three cybersecurity investigators knowledgeable on the matter and speaking on the condition of anonymity confirmed the link to Reuters.
Additionally, the techniques and procedures used to breach the email security firm were consistent with SolarWinds hackers’ activity.
Mimecast said that Microsoft’s security experts notified the company of “a sophisticated threat actor” who hijacked its certificates used to connect to Mimecast customers’ Microsoft 365 Exchange products.
Mimecast’s products include anti-phishing email security tools capable of detecting malicious links and fake identities. The breach adds to the list of growing victims and expanding attack vectors exploited by the advanced persistent threat actor APT29.
Mimecast said 10% of its 36,000-customer base was affected by the certificate breach. However, the email security provider estimated that the suspected SolarWinds hackers targeted only a “low single-digit number” of its Microsoft 365 tenants.
The threat actors hijacked the certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to customers’ Microsoft 365 Exchange Web Services.
“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” the company said in a statement posted online.
Although she declined further comment, Mimecast spokeswoman Laura Barnes acknowledged the breach adding that the email security provider was investigating the incident.
It’s unclear how the SolarWinds hackers managed to compromise Mimecast as neither Microsoft nor Mimecast provided additional details.
However, the email security company said in a statement that it engaged a third-party forensics expert, law enforcement, and Microsoft in analyzing the breach.
Terence Jackson, Chief Information Security Officer at Thycotic, says that “the certificates that were compromised were used by Mimecast email security products.”
“These products would access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”
Weeks earlier, SolarWinds hackers attempted to spy on the cybersecurity company CrowdStrike using a Microsoft products reseller’s account.
Microsoft had warned that the threat actors associated with the SolarWinds hacking campaign could use a compromised third-party vendor’s environment to target more customers.
Earlier, SolarWinds hackers were found capable of compromising the Security Assertion Markup Language (SAML) signing certificate to generate authentication tokens for Microsoft’s cloud platform.
The cybercrime gang used the obtained credentials to authenticate on Microsoft Active Directory Domain Services to escalate privileges on the Domain Controller and spread laterally across the entire corporate network.
SolarWinds hackers used similar techniques against previous victims, including corporations and U.S. government agencies, such as the FBI, the Treasury, Homeland Security, and the Commerce departments.
Although only a few customers were targeted in Mimecast’s data breach, the threat actors behind the SolarWinds hacking focus on high-value targets instead of attacking everyone.
Unless the victims were identified, their role in the software supply chain determined and analyzed for additional indicators of compromise, a breach on a single victim could have severe implications like the SolarWinds hack or the FireEye breach.
Commenting on the email security provider’s breach, Saryu Nayyar, CEO, Gurucul, says:
“The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies.”
She noted that the breach served as an example of the level of skill and tenacity that state-sponsored threat actors could apply to achieve their objectives.
“Basic cybersecurity is not enough. Organizations need to employ industry best practices, and then go farther with user education, programs to review and update their security, and deploying best in breed security solutions, including security analytics.”
On the bright side, Nayyar notes that the advanced defenses employed against sophisticated nation-state hackers “should be more than enough to thwart the more common cybercriminal.”
Chris Hickman, the chief security officer at Keyfactor, noted a developing pattern of “leveraging cryptographic assets to gain network access and evade security controls.”
“These attacks are not about FireEye, SolarWinds, or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual,” Hickman says. “The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials.”
He claims that companies were less keen on managing certificates and treating them as “just certificates” instead of cryptographic assets playing a crucial role in hardening network security.
“Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving threat landscape,” he continues.