Full Report
Email security firm Mimecast has had its digital certificate compromised giving threat actors access to private customer communications.
Analysis Summary
# Incident Report: Mimecast Digital Certificate Compromise
## Executive Summary
The email security firm Mimecast experienced a compromise of its digital certificate, which was used to secure connections between its products and Microsoft's cloud services (M365). This allowed threat actors to gain the capability to decrypt, read, and modify private customer communications for a subset of users. The incident was discovered after Microsoft alerted Mimecast, prompting immediate remediation steps for affected customers.
## Incident Details
- **Discovery Date:** Unknown (Incident disclosed upon notification from Microsoft)
- **Incident Date:** Occurred prior to January 13, 2021 (Date of public report)
- **Affected Organization:** Mimecast Limited
- **Sector:** Cybersecurity / Email Security Services
- **Geography:** Jersey-domiciled, UK-headquartered company (Global customer base)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Compromise of the digital certificate used for encryption keys.
- **Details:** The private encryption keys stored in Mimecast's internal servers were somehow accessed or compromised, allowing threat actors to obtain the necessary credentials to decrypt traffic flowing through the certificate-protected connection to Microsoft cloud services.
### Lateral Movement
- **Details:** Not explicitly detailed, but the compromise of the certificate itself provided standing authorization to intercept traffic protected by that certificate, suggesting a high-level compromise focused on the trust mechanism rather than network traversal.
### Data Exfiltration/Impact
- **Details:** Threat actors gained the ability to decrypt, read, and potentially modify private communications between approximately 10% of Mimecast customers who utilized the affected connection to Microsoft 365. Indication that a "low single-digit number" of customer M365 tenants were specifically targeted.
### Detection & Response
- **How it was discovered:** Microsoft informed Mimecast of the issue.
- **Response actions taken:** Mimecast immediately contacted the affected customers to advise them to delete their current Microsoft 365 connection and reestablish it using a replacement certificate.
## Attack Methodology
- **Initial Access:** Compromise of an internal system storing the private encryption keys associated with the digital certificate used for secure connections to M365.
- **Persistence:** Not detailed, likely achieved via holding the compromised certificate/keys until detection.
- **Privilege Escalation:** Not applicable to standard network lateral movement; this represents a direct compromise of a root trust mechanism.
- **Defense Evasion:** The use of a valid, but compromised, certificate is an advanced defense evasion technique, as traffic would appear legitimate (man-in-the-middle capability).
- **Credential Access:** Compromise of encryption keys/credentials associated with the certificate private key store.
- **Discovery:** Unknown, but the targeted nature suggests prior reconnaissance of Mimecast's infrastructure or key personnel access.
- **Lateral Movement:** Not required; the certificate compromise provided direct access to intercepted data streams.
- **Collection:** Decryption and reading of private customer communications flowing over the connection to M365.
- **Exfiltration:** Not explicitly detailed, but reading and modification of data implies potential exfiltration or alteration.
- **Impact:** Interception and compromise of confidential communication data.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Private customer communications (emails/data) protected by the compromised certificate. Impact was limited to approximately 10% of customers, with specific targeting against a "low single-digit number" of these tenants.
- **Operational:** Disruption required affected customers to immediately rework their M365 connection configuration.
- **Reputational:** Negative impact on Mimecast's reputation as an email security and trust provider.
## Indicators of Compromise
- **Network indicators (Defanged):** Specific details on attacker C2 or session activity were not published.
- **File indicators:** None published.
- **Behavioral indicators:** Use of the compromised digital certificate to intercept secure communication traffic between Mimecast and M365.
## Response Actions
- **Containment measures:** Identification of the compromised certificate and immediate communication to assist customers in revoking and replacing the connection.
- **Eradication steps:** Reissuing or updating the primary digital certificate and associated private keys.
- **Recovery actions:** Instructing affected customers to delete existing connections and establish new, secure connections using a replacement certificate.
## Lessons Learned
- The incident highlights the critical risk associated with securing **private encryption keys**; this level of access is extremely difficult to achieve, suggesting either a highly sophisticated attacker or an insider threat scenario.
- The surgical nature of the targeting suggests an advanced persistent threat (APT) potentially seeking specific organizational data, drawing parallels to the SolarWinds attack methodology.
## Recommendations
- Implement hardware security modules (HSMs) or highly segmented, zero-trust environments for the storage and management of private encryption keys used for external-facing services.
- Enhance monitoring around certificate lifecycle events and large-scale key access attempts.
- Review and reduce the scope of shared high-privilege certificates/keys to limit blast radius (Principle of Least Privilege applied to encryption infrastructure).