A threat player has hijacked email security connections to spy on victims.
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company announced.
Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers.
The certificate in question is used to verify & authenticate those connections made to Mimecast’s Sync & Recover (backups for mailbox folder structure, calendar content & contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) & Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).
A compromise means that cyber-attackers could take over the connection, though which inbound & outbound mail flows, researchers observed. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services & steal information.
“The certificates that were compromised were used by Mimecast email security products,” Terence Jackson, CISO at Thycotic, explained. “These products would access customers Microsoft 365 exchange servers in order for them to provide security services (backup, spam & phishing protection).
Since these certificates were legitimate, an adversary would have been able to connect without raising suspicions to eavesdrop & exfiltrate email communications.”
There would be extra steps necessary for the attacker to compromise sensitive information, according to Chris Clements, VP of Solutions Architecture at Cerberus Sentinel.
“They don’t appear to have identified the exact nature & use case for the certificate compromised but 2 possibilities are likely,” he commented.
“1st, if the stolen certificate was used for Mimecast customers to verify the validity of the servers their users’ connect to (user -> Mimecast), it would allow an attacker that was able to man-in-the middle the user to server connection to easily decrypt the encrypted data stream & access potentially sensitive information.”
This would require the attackers to have compromised a device in the data path between the Mimecast customer’s users & servers; be present on the same local network to perform an ARP spoofing attack; or simply be connected to the same open Wi-Fi network.
“The other much worse possibility is that the stolen certificate was used to authenticate from Mimecast servers directly to Microsoft 365 (Mimecast -> MS365),” he said. “If this were the case & no other security controls limiting access were in place, attackers with this certificate could potentially use it to connect directly to Microsoft & access all of the customer’s data.”
Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, observed that attackers could also possibly disable Office 365’s Mimecast protections altogether to make an email-borne attack more effective.
“This would allow access to mail hosted on Office 365, possibly disable certain services like threat protection and alerts, and possibly more,” he suggested. “This is a compromise of a machine identity: the certificate is the identity of Mimecast services authenticating to Microsoft cloud.”
Mimecast Remains Silent
Mimecast spokesperson commented only, “Our investigation is on-going & we don’t have anything additional to share at this time. All updates from Mimecast will be delivered through our blog.”
Mimecast, in an online posting on Tues., said that about 10% of its customers use the affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised.
The company further said that out of those, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”
The hack was brought to Mimecast’s attention by Microsoft, which plans to disable the certificate’s use for Microsoft 365 starting on Jan. 18. In the meantime, Mimecast has issued a new certificate & is urging users to re-establish their connections with the fresh authentication.
The attack is reminiscent of the recently discovered SolarWinds hacks, because of the use of 3rd-party software to reach targets. Indeed, researchers speaking anonymously to Reuters about the Mimecast incident said that they suspected the same advanced persistent threat responsible for the SolarWinds supply-chain attack is at work here.
Mimecast Declined to Comment
“The attack against Mimecast & their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds & multiple government agencies,” Saryu Nayyar, CEO at Gurucul, commented via email.
“This shows the skill & tenacity state & state-sponsored actors can bring to bear when they are pursuing their agenda.
Against this sort of opponent, civilian organisations will need to up their game if they do not want to become the next headline. Basic cyber-security is not enough.
Organisations need to employ industry best practices, & then go farther with user education, programs to review & update their security, & deploying best in breed security solutions…The long-term advantage is that defences designed to resist a state-level attack should be more than enough to thwart the more common cyber-criminal.”