Email management provider Mimecast said that hackers compromised a digital certificate it issued, targeting selected customers who use it to encrypt data sent and received through the company's cloud-based service.
In a post published Tuesday, the company said the certificate has been used by around 10 percent of its customer base, which the company claims is around 36,100. The "advanced threat actor" then likely used the certificate to target "a low single-digit number" of customers who use the certificate to encrypt Microsoft 365 data. Mimecast said it learned of the compromise from Microsoft.
With certificate tradeoffs, hackers can read and modify encrypted data as it travels over the Internet. To do this, a hacker must first be given the ability to monitor the connection to and from a target's network. Typically, certificate compromises require access to highly fortified storage devices that hold private encryption keys. This access usually requires deep-level hacking or inside access.
The Mimecast publication did not describe what type of certificate was compromised, and a company spokesperson declined to elaborate on it. However, this post explains how customers can use a Mimecast-provided certificate to connect their Microsoft 365 servers to the company's service. Mimecast offers seven different certificates based on the customer's geographic region.
Mimecast instructs customers using the compromised certificate to immediately delete their existing Microsoft 365 connection with the company and reestablish a new connection using a replacement certificate. The move has no effect on incoming or outgoing mail flow or security scanning.
The release comes a month after a major supply chain attack was discovered that infected around 18,000 SolarWinds, Austin, Texas customers with a backdoor that allowed access to their networks. In some cases – including one involving the US Department of Justice – the hackers used the back door to take control of victims' Office 365 systems and read the emails they stored. Microsoft, itself a victim of the hack, played a key role in the investigation. The type of backdoor that is sent to SolarWinds customers would also prove valuable in the event of a certificate being compromised.
It is far too early to say that the Mimecast event is linked to the SolarWinds hack campaign, but there is no denying that some of the circumstances coincide. In addition, Reuters reported that three unnamed cybersecurity investigators suspected that the Mimecast certificate compromise was being carried out by the same hackers behind the SolarWinds campaign.