Email management provider Mimecast said hackers compromised a digital certificate it issued and used it to target select customers who are using it to encrypt data they sent and received through the company’s cloud service.
In a message published Tuesday, the company said the certificate was being used by about 10 percent of its customer base, which the company says is about 36,100. The “advanced threat actor” then likely used the certificate to target “a low single-digit number” of customers who used the certificate to encrypt Microsoft 365 data. Mimecast said it heard of Microsoft’s compromise.
Compromising certificates allows hackers to read and modify encrypted data as it travels across the Internet. For that to happen, a hacker must first be given the ability to check the connection in and out of a target’s network. Typically, certificate compromises require access to highly fortified storage devices that store private encryption keys. That access usually requires deep hacking or insider access.
The Mimecast post did not describe what type of certificate was compromised, and a company spokesperson declined to elaborate. However, this post discusses how customers can use a Mimecast-provided certificate to connect their Microsoft 365 servers to the company’s service. Mimecast provides seven different certificates based on the customer’s geographic region.
Mimecast instructs customers using the compromised certificate to immediately remove their existing Microsoft 365 connection to the company and establish a new connection using a replacement certificate. The move will not affect inbound or outbound email flow or security scans, Tuesday’s message said.
The disclosure comes a month after the discovery of a major supply chain attack that infected approximately 18,000 customers of Austin, Texas-based SolarWinds with a backdoor that gave access to their networks. In some cases, including one involving the US Department of Justice, the hackers used the backdoor to take over victims’ Office 365 systems and read email they had stored. Microsoft, itself a victim of the hack, has played a key role in the investigation into the hack. The type of backdoor pushed to SolarWinds customers would also be valuable when compromising a certificate.
It’s way too early to say that the Mimecast event is related to SolarWinds’ hacking campaign, but there’s no denying that some circumstances match. In addition, Reuters reported that three unnamed cybersecurity researchers said they suspect the Mimecast certificate compromise was carried out by the same hackers behind the SolarWinds campaign.