Mimecast Certificates Compromised
In case you missed it, Mimecast, a Cloud Cybersecurity Services provider, announced that the same threat actors responsible for the SolarWinds breach had also compromised Mimecast-issued certificates. The compromised certificates provided access to encrypted account credentials that establish a connection from Mimecast tenants to on-premises and cloud services. The breach provided hackers with access to Azure Active Directory, Microsoft Exchange Web Services, LDAP, POP3 journaling and SMTP-authenticated delivery routes of Mimecast customers.
Mimecast Breach: Immediate Actions to Take
Mimecast has advised customers using the certificate-based connection to immediately delete the existing connection within their Microsoft 365 tenant and re-establish a new certificate-based connection using a new certificate which Mimecast has made available.
Microsoft has disabled the use of the former connection keys for all affected Mimecast customers, but out of an abundance of caution, it would be best to re-establish a new certificate-based connection. Based on Mimecast’s investigation, the threat actors accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States (US) and the United Kingdom (UK).
While they are not aware that any of the encrypted credentials have been decrypted or misused, they do advise customers hosted in the US or UK to reset their credentials as a precautionary measure.
Key Takeaway: The Importance of Security Certificates
It is fundamentally important to have proper protocols in place for the management of security certificates as they are critically important for proper computing and safe exchange of information over a secure connection.
Many industries have audit requirements baked in to ensure certificate authenticity including healthcare, banking, and others. Regardless if you are a government agency or commercial entity, equal focus should be placed on the proactive management of these certificates.
Certificate authorities (CA) are commonly overlooked in cyber security investments. Many organizations tend to rely on default security certificates due to lack of knowledge. Default security certificates are used by multiple entities and could be a target for spoofing or a 0-day exploit. Other common issues include expired certificates, wildcard certificates, certificates tagged to mismatched domains, etc.
Now is the time to audit your current certificates to ensure they are up to date. Ask these questions internally to ensure you are taking those proactive steps.
- Do you have individuals responsible for the management of your security certificates?
- Do your cyber security policies include documentation and processes for the proper management of your security certificates?
- Are you tracking your security certificates to ensure they are renewed yearly?
Have exploit concerns?
If you have concerns you may have been breached or even exploited, the best course of action would be to conduct a quick penetration test and vulnerability scan for peace of mind.
Please reach out to our team if you don’t know where to get started, or if you don’t have the security expertise or bandwidth in-house to dedicate to this effort. We are here to help.