Disclosed last week by Mimecast, a threat actor has compromised the certificate which was used to authenticate several products to Microsoft 365 Exchange Web Services.
The London-based email security software company said the certificate used to authenticate its Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 has been compromised. Mimecast was informed of the compromise by Microsoft.
Mimecast’s stocks have dropped 2.30% down to 44 per share this week and are still dropping which is the lowest since Dec 15. Mimecast is declining to answer questions about whether the threat actor who injected malicious code into the SolarWinds Orion network monitoring tool was the same threat actor that compromised its certificate.
About 10% of customers use the compromised connection according to Mimecast and of those that use the connection, only “a low single digit number” were actually targeted. Mimecast said that they have already contacted the targeted tenants to fix the issue and a third party forensics firm has been called to help investigate the incident.
Mimecast has asked the 10% of its customers who are using this certificate-based connection to “immediately delete the connection within their Microsoft Office 365 tenant and make a new certificate-based connection using the new certificate” that they have created.
“The security of our customers is always our top priority,” Mimecast said in a statement issued Tuesday morning. “We have engaged a third-party forensics expert to assist in our investigation, and we will work closely with Microsoft and law enforcement as appropriate.”
“We can confirm that a certificate provided by Mimecast was compromised by a sophisticated actor, this certificate enables their customers to connect certain Mimecast applications to their M365 tenant. At Mimecast’s request, we are blocking this certificate on Monday, January 18, 2021.” in a statement by a Microsoft spokesperson according to CRN.
According to Reuters, cybersecurity investigators believe that the attack may have been closely related to the recently disclosed supply chain attack on the U.S. Software Vendor, SolarWinds and a few sensitive U.S. government agencies.
The SolarWinds hack resulted in malicious software updates that were rolled out to around 18,000 of the company’s customers. The threat actors also delivered other payloads to other several private and government organizations that showed an interest.
The SolarWinds hack that was uncovered last month was believed to be the work of Russian cyberspies. The U.S. Government believes that Russia is behind the attack and the malware used is related to Turla APT which is a known Russian cyberspy group.