On January 26th, 2020, Mimecast released an updated statement about the compromise first published on January 12th 2020.
Initially believed to be a targeted attack against a few select Mimecast customers, their follow-on investigation revealed a much wider attack surface. Mimecast was also able to conclude that this attack was the same threat actor behind the Solarwinds breach, which was the cause of their infection. The attackers were able to do following:
“The threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.”
Datashield and Mimecast are not aware of any of these credentials being decrypted and/or used. However, as a precaution, we are recommending clients reset these secrets to ensure they are not misused in the future.
- AzureAD / LDAP: https://community.mimecast.com/s/article/Refreshing-Directory-Synchronization-Authentication
- POP3 Journaling: https://community.mimecast.com/s/article/Configuring-Exchange-2007-POP3-POP3S-Journaling-1511893355
- EWS: https://community.mimecast.com/s/article/Enabling-EWS-Domain-Authentication-105500096
- General Password Configurations: https://community.mimecast.com/s/article/Password-Authentication-1346579834
If you have any questions or concerns reach out to us or start a chat.