Attackers Compromised a Digital Certificate
Email security vendor Mimecast confirmed Tuesday that the hackers responsible for the SolarWinds supply chain hack also breached the security firm’s network to compromise a digital certificate that encrypts data that moves between some of the firm’s products and Microsoft’s servers.
When London-based Mimecast first acknowledged the breach earlier this month, the company reported that fewer than 10 of its clients had been targeted by the hackers during the compromise.
The company is urging affected customers in the U.S. and U.K. to break and reestablish their connections to Microsoft products with newly issued keys, according to the update.
“Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and the United Kingdom to take precautionary steps to reset their credentials,” Mimecast says.
Earlier this month, Mimecast acknowledged that it was investigating an internal breach after Microsoft notified the company of an issue with one of the firm’s digital certificates (see: Mimecast Says Hackers Compromised Digital Certificate).
Following an investigation that included law enforcement agencies and a third-party incident response firm, Mimecast now believes that the digital certificate was compromised by the hackers who targeted SolarWinds’ Orion network monitoring platform.
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor,” according to the company update posted Tuesday.
In December 2020, Microsoft and FireEye acknowledged that the SolarWinds hackers had compromised their internal systems as well. And last week, Malwarebytes released a statement saying that the company has been victimized (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).
CrowdStrike is also investigating an incident that appears to be tied to the SolarWinds breach, but it says the hack was unsuccessful.
On Monday, Forbes reported that Palo Alto Networks is also investigating whether its networks may have been targeted by the same hackers as well.
Mimecast says the compromised certificate encrypts data exchanged between the security firm’s Sync and Recover, Continuity Monitor and Internal Email Protect products and Microsoft 365 Exchange Web Services.
About 10% of the company’s customers – or 3,900 users – use this type of connection between Mimecast products and Microsoft services. The company believes that fewer than 10 of those customers were targeted as a result of the certificate being compromised.
The additional investigation showed that once the certificate was compromised, the hackers accessed and potentially exfiltrated “certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom,” according to the company update.
Mimecast notes that these credentials establish connections from Mimecast tenants to on-premises and cloud services, including LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMTP-authenticated delivery routes.
The company says most customers affected by this compromise have taken steps to disable the certificate and create new credentials. Mimecast is also taking steps to “isolate and remediate the identified threat” as well as monitor its networks for additional security issues.
Oliver Tavakoli, the CTO at security firm Vectra AI, notes that the latest update from Mimecast shows that the SolarWinds hackers seemed to focus much of their attention on compromising encryption keys that would give them continued access to networks that they had targeted (see: Microsoft Describes How SolarWinds Hackers Avoided Detection).
“The advantage of such an approach to the attacker is that possession of such keys allows for continued access to environments even when all other access has either been voluntarily relinquished by the attacker – to erase evidence of the attack – or has been rooted out by infosec teams by reimaging systems,” Tavakoli says.
The investigation into the SolarWinds hack is ongoing, and the Biden administration has ordered a full-scale review of the intelligence around the supply chain attack (see: President Biden Orders SolarWinds Intelligence Assessment).
Attackers added a backdoor called “Sunburst” into SolarWinds’ Orion network monitoring software. Up to 18,000 customers installed and ran the Trojanized software. Attackers then used Sunburst to target some of those customers. Intelligence experts have suggested that about 300 organizations may have been hit with these more advanced hack attacks, which could have led to data exfiltration, eavesdropping – including email inbox access – and follow-on attacks against business partners.
The U.S. agencies investigating the attack believe that a Russian-linked group is likely responsible and that the hack was part of an elaborate espionage campaign. Russia has denied any involvement.
On Tuesday, President Joe Biden held his first call with Russian President Vladimir Putin and raised concerns about the SolarWinds hack, according to the official readout from the White House.
The attack, which appears to have started in March 2020, went undetected until FireEye discovered that its penetration testing tools had been stolen. Two months into the investigation, security firms and researchers have found that the hackers used a wide range of malicious tools (see: ‘Raindrop’ Is Latest Malware Tied to SolarWinds Hack).