5 things to know about the Mimecast hack

Another day, another hack

A threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, the email security vendor disclosed Tuesday.

Mimecast said the compromised certificate was used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365.

The company has asked customers using this certificate-based connection to Microsoft 365 to immediately delete the existing connection within their Microsoft 365 tenant. Customers should then re-establish a new certificate-based connection using a new certificate that Mimecast has made available, according to Mimecast.

“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning US time.

“We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”

From the type of certificate likely compromised to the impact of this hack on Mimecast’s email security rivals to whether the attack is tied to the massive SolarWinds breach, here are five of the most important things to know about the Mimecast hack.

5. Microsoft will block compromised certificate Monday

Approximately 10 percent of Mimecast’s customers use the compromised connection to Microsoft 365 Exchange Web Services, according to the company. Of those that do, Mimecast said current indications are that a low-single-digit number of Mimecast customers’ Microsoft 365 tenants were actually targeted.

Mimecast said it has already contacted the customers with targeted Microsoft 365 tenants to remediate the issue. The company was recently informed of the compromise by Microsoft, according to Mimecast.

Microsoft 365 customers not using Mimecast are unaffected by the compromise, according to a Microsoft spokesperson. At Mimecast’s request, Microsoft said it’s blocking the compromised Mimecast certificate on Monday, Jan. 18.

Microsoft declined to answer questions from CRN US about why the software giant is not blocking the compromised certificate immediately.

4. Mimecast rivals not compromised

CRN US reached out to eight other email security vendors in the wake of the Mimecast’s disclosure Tuesday morning to ask if they were dealing with similar compromises.

None of Area 1 Security’s certificates have been compromised recently, according to Oren Falkowitz, the company’s co-founder, chairman of the board and former CEO. Vade Secure has similarly not been compromised, according to Adrien Gendre, the Hen, France-based company’s chief product and services officer. Agari has also not seen any signs of compromise, according to a spokesperson for the company.

Barracuda, Proofpoint, and Zix did not immediately respond to inquiries from CRN US on whether or not they were compromised like Mimecast, while FireEye and Valimail declined to comment on the matter.

3. Mimecast likely hit by hackers who attacked SolarWinds

Three cybersecurity investigators told Reuters Tuesday they suspected the hackers who compromised Mimecast were the same group that broke into Austin, Texas-based IT infrastructure management vendor SolarWinds as well as nearly 10 federal agencies. The investigators spoke to Reuters on the condition of anonymity to discuss details of an ongoing probe, according to the news organisation.

Mimecast declined to answer CRN US questions about whether the compromise was carried out by the same group who attacked SolarWinds.

The US Cyber Unified Coordination Group (UCG) said on 5 January that a Russian Advanced Persistent Threat (APT) group was likely behind the SolarWinds hack. The Washington Post previously reported that the attack was carried out by the Russian foreign intelligence service.

In addition the FBI is investigating a mysterious postcard sent to FireEye CEO Kevin Mandia’s home days after FireEye found initial evidence of a hacking operation on federal agencies and private businesses, Reuters reported Tuesday. US officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, according to Reuters.

2. Compromise probably involved trusted SSL certificate

While Mimecast did not say what type of certificate was compromised in the hack, BleepingComputer said the compromise most likely involved one of the Mimecast-issued Trusted SSL certificates customers have to install on their Exchange Client Access servers to secure the connection to the Microsoft 365 servers.

The regional certificates relative to customers‘ accounts must be uploaded to Microsoft 365 to create a server connection in Mimecast, according to BleepingComputer. One of these self-issued certificates was compromised or stolen, which BleepingComputer said potentially could have allowed the hackers to use it in man-in-the-middle attacks.

1. Mimecast stock plummets following hack disclosure

Mimecast disclosed the security compromise in a four-paragraph blog post and filing with the US Securities and Exchange Commission (SEC) before the market opened Tuesday in the US. By midday, Mimecast’s stock had plummeted US$5.54 per share (10.77 percent) to US$45.86 per share.

That’s the lowest Mimecast’s stock has traded since 3 December 2020. The stock price decline has shaved more than US$350 million off the company’s valuation, which now stands at US$2.93 million, according to Google Finance.