UPDATE (12/27) Mimecast has confirmed that their certificate compromise was perpetrated by the same threat actor behind the SolarWinds hack and gave hackers access to customers’ on-premises and cloud services.
According to Mimecast, "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."
Venafi Vice President, Security Strategy and Threat Intelligence, Kevin Bocek, warns, “The age of the cloud breach is here, and the most valuable assets in the cloud are machine identities like TLS keys and certificates. Machine identities establish are used to authenticate devices, services and software. More importantly, they control the flow of sensitive data.”
ORIGINAL POST (12/13) Mimecast, a cloud email management service, was recently the target of a supply chain attack by a “sophisticated threat actor” who compromised and apparently misused a trusted digital certificate. This attack on machine identities has left thousands of Mimecast customers vulnerable to attack, and could have serious long-term repercussions for the London-based email software company.
Understanding how and why attacks against trust such as these occur can allow you to develop your own machine identity management strategy with the latest best practices and existing threats at top of mind, ensuring your organization stays secure!
What happened and how did Mimecast handle it?
Mimecast, a cloud email management software company, recently announced that one of the certificates that was used to authenticate their Microsoft 365 Exchange Web Services was “compromised by a sophisticated threat actor”.
It’s likely that the compromised certificate in question is a Mimecast-issued trusted SSL/TLS certificate that customers install on their Exchange Client Access servers, securing the connection to Microsoft 365 servers.
In a short statement, Mimecast indicated that around 10 percent of its customers used impacted certificates. While the statement indicates that up to 3,600 of their 36,000 customers could be potentially compromised, Mimecast did specify that they expect that a “low single digit number of customers” were actually targeted.
Mimecast was made aware of this attack by Microsoft, and they do intend to disable the certificate’s use for Microsoft 365 effective January 18th, 2021. However, until the certificate can be suspended, Mimecast has issued a new, secure certificate and is urging all customers to re-establish their connections to Microsoft with the renewed authentication. To reassure customers, Mimecast did state that “taking this action does not impact inbound or outbound mail flow or associated security scanning”.
How will this attack impact Mimecast moving forward?
Due to the nature of the attack, there has been speculation that there is a connection between this incident and the SolarWinds hack from early January. The use of third-party software to compromise targets has led to the conclusion that the same “sophistication attackers” involved in the Mimecast hack were those who perpetrated the SolarWinds hack, and breached multiple government agencies.
Mimecast has not yet commented on this theory, and a spokesperson for the email company has continued to maintain that their “investigation is ongoing and we don’t have anything additional to share at this time. All updates from Mimecast will be delivered through our blog”.
The danger of a hack like this cannot be overstated. A certificate compromise for even a percentage of Mimecast’s users means it is possible for these malicious actors to eavesdrop on or even infiltrate their targets’ Microsoft 365 Exchange Web Servers, allowing them to extract confidential communications and information. Another possible angle of these hackers is to disable Microsoft’s Mimecast protections, allowing a second “email-borne” attack to cause even further damage.
This compromise of a machine identity is exactly the type of hack that Venafi machine identity management can protect users from. Learn more about how machine identity management can protect your network from attackers that would circumvent your security protocols or pivot across your network!
- Attacks Using Machine Identities are Rising Dramatically: Is Your Organization Prepared?
- Imperva: Timeline of an API Key Compromise
- The Abuse of Root Certificates, Certificate Mis-issuance and Certificate Transparency
- Why It’s Dangerous to Use Outdated TLS Security Protocols