After the recent discovery of the devastating SolarWinds attack on the US Government, Mimecast disclosed yesterday that they too have been compromised by a sophisticated cyber criminal. It is not known at this point if the attack was conducted by the same suspected Russian hackers responsible for the SolarWinds incident, but it does bear some resemblance. In the wake of a year fraught with unrelenting, high-profile attacks, the news of a cybersecurity firm like Mimecast falling victim should not come as a surprise.
Why was Mimecast targeted by cybercriminals?
Sophisticated attackers determine their victims depending upon what they are looking to steal. It might be money, data, or long-term network acess. Mimecast and many of its cybersecurity peers provide significant access to their own customers, therefore shortcutting the painstaking process of targeting each customer separately. So in this instance Mimecast was targeted because they are a vendor with many, many customers.. Vendors have long been used as an entrance point for cybercriminals. The exact goal of the hackers is still unknown, as is if there were any of their customers that the attackers were looking to specifically access, but the impact is both sweeping and unsettling. For example, Target was previously hacked through an HVAC service provider who had been granted access to customer credit and debit card records. More recently, awareness of this risk has grown and have responded with improved processes and data governance practices that prevent both third parties and employees from having unrestricted access to company resources. Cybersecurity vendors like Mimecast may be an exception to that rule. Businesses often defer to their cybersecurity partners as experts in cyber defense and rely on our expertise to protect them.. Security software and hardware products are often inserted directly into sensitive networks playing a critical role in cyber defense, but in some cases they also unknowingly provide additional points of entry which bad actors can exploit to great effect.
How was a popular product like Mimecast hacked?
A Mimecast issued secure certificate used by about 10% of their users was breached, likely allowing hackers to abuse the secure connection and steal customer data. The impacted products were communicating directly with Microsoft 365 Exchange Web Services, providing the attackers access to Mimecast’s customers corporate environments. Although there may be direct value in the messages or attachments that may have accessed by the attackers, Email typically represents the most common point of entry for cybercriminals. Information in the form of email address lists, frequent contacts, vendor names, even email signature formats and out of office replies can be used to further infiltrate systems through highly successful spear-phishing attacks, conversation hi-jacking, and the like. Customers rely on tools like Mimecast and Cloudphish to make email safer, which begins with avoiding any and all unnecessary customer data access. Every piece of software or hardware your company uses can be breached, and should be treated as such.
A lot about the Mimecast hack is still unknown
While it is an encouraging sign that the breach seems to have been caught early, it is very likely that the pain for Mimecast and their customers that have been impacted is only just beginning. Companies need to fill their cybersecurity gaps that products like Mimecast cannot address as cybercriminals’ techniques grow more and more sophisticated each day.