Mimecast certificate compromised by SolarWinds hackers

Another vendor has been breached in connection with the supply chain attack on SolarWinds.

In a blog post Tuesday, email security vendor Mimecast confirmed  the compromise of a Mimecast-issued digital certificate was stolen by the same nation-state threat group behind the SolarWinds hack and subsequent attacks on various technology companies and federal government agencies. Mimecast first disclosed the certificate compromise on Jan. 12 and attributed the breach to a "sophisticated threat actor" but did not connect the incident to the recent SolarWinds attacks.

"Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor," the updated blog post said. "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom."

According to the update, the credentials establish connections from Mimecast tenants to on-premises and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMPT-authenticated delivery routes. Mimecast said they are not aware that any of the encrypted credentials have been decrypted or misused but advised U.S. and U.K. customers to take precautionary steps to reset their credentials.

SearchSecurity contacted Mimecast with additional questions about how the incidents are related, but the company declined to provide further details.

"We are continuing to investigate and respond to the recent security incident that affected Mimecast customers hosted in the United States and United Kingdom," a Mimecast spokesperson said in an email to SearchSecurity.

Prior to Tuesday's confirmation, there was speculation that the Mimecast breach was connected to the SolarWinds attacks. Reuters first reported the nation-state threat actors behind the SolarWinds breach were suspected of stealing the Mimecast certificate. 

In addition, several victims, including the Department of Justice and more recently Malwarebytes, have confirmed the SolarWinds attackers gained access to their Microsoft 365 environments. FireEye also published research last week that revealed new tactics, techniques and procedures (TTP) used by the SolarWinds attackers to compromise Microsoft 365 tenants, and one of the techniques involved compromised certificates.

According to Mimecast's original blog post, the stolen certificate was used to authenticate Mimecast Sync and Recover, and Continuity Monitor for Microsoft 365 Exchange Web Services.

"Approximately 10 percent of our customers use this connection," the blog post said. "As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we've made available."

SearchSecurity reached out to Microsoft last week for further details on its investigation into the Mimecast certificate.

"We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor. This certificate enables their customers to connect certain Mimecast applications to their M365 tenant. At Mimecast's request, we are blocking this certificate on Monday, January 18, 2021," a Microsoft spokesperson said in an email to SearchSecurity.

As a SolarWinds customer, Microsoft began an internal investigation searching for indicators of what it refers to as the 'Solorigate' actor. On Dec. 31, Microsoft confirmed in a blog that threat actors infiltrated its network and viewed -- but did not alter or obtain --the company's source code.

"Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others," Microsoft said in the blog post.