Fortalice Advisory on the Mimecast Certificate Compromise
On January 12, 2021, the email security provider Mimecast disclosed the compromise of certificates used to authenticate to the Microsoft365 Exchange Web Services. The notification provided to Mimecast from Microsoft indicated that several certificates issued by Mimecast had been compromised by a sophisticated threat actor. These certificates are used by some customers to authenticate connections from Mimecast Sync and Recover, Continuity Monitor, and IEP products to customers’ Microsoft 365 Exchange Web Services.
Currently, Mimecast has not disclosed the nature of the compromise or if the malicious actors were able to use the compromised certificates. These certificates would allow an adversary to conduct a“Man-in-the-middle” attack where they would be able to take control of the connection and view inbound and outbound data flows or gain access to theMicrosoft 365 Exchange Web Services from a compromised system on the customer's network. Additionally, an attacker could compromise the Mimecast infrastructure to authenticate to a customer’s Microsoft 365 Exchange Web Services. In either case, data contained within the customer’s Exchange Web Services could be at risk.
How to Protect Yourself Now:
Mimecast states that approximately 10 percent of customers utilize this type of connection and that their investigation has located only a single digit number of customers were targeted. Mimecast has requested that a subset of customers that are using certificates to authenticate to these services to delete their Microsoft 365 Exchange Web Services connection and establish a new connection with a new certificate that has been provided. The use of a new certificate should not impact security scanning or the inbound or outbound mail flow.
What Comes Next:
Mimecast has engaged a third-party forensics firm to conduct a detailed investigation to determine the cause of the certificate compromise.In addition, Mimecast is working closely with Microsoft to address any security issues related to the Exchange Web Services. If you are concerned about the security of your own connection to Mimecast or have any questions regarding this incident, please do not hesitate to reach out to us.
Summer of 2020 was coined the "Summer of Ransomware", but are we about to have a second summer of ransomware in 2023?
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.