SolarWinds attackers suspected in Microsoft authentication compromise

Microsoft warned of a compromise by a threat actor, likely the same one behind the SolarWinds attacks, for a Mimecast-issued certificate. (Microsoft)

Mimecast issued a new certificate and is urging affected customers to delete the old one after Microsoft warned of a compromise by a threat actor, likely the same one behind the SolarWinds attacks.

The certificate allows organizations to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services.

“The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies,” said Saryu Nayyar, CEO at Gurucul. This shows the skill and tenacity state and state-sponsored actors can bring to bear when they are pursuing their agenda. 

The impact, thus far, seems to be small. Noting that about 10 percent of its customers use the connection, Mimecast said “there are indications that a low single digit number of our customers’ M365 tenants were targeted” and that those companies had been alerted.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” Mimecast said in an update that noted the action will not impact either inbound or outbound mail flow or associated security scanning.

Because the compromised certificates were used by Mimecast email security products to access organizations’ Microsoft 365 exchange servers, “an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications,” according to Terence Jackson, chief information security officer at Thycotic.

For companies that follow a recently issued National Security Agency advisory that recommends using TLS1.2 with perfect forward secrecy cipher suites or TLS1.3, “the issue of a compromised key becomes moot,” said Vishal Jain, chief technology officer at Valtix.

“We recommend taking out the misconfiguration possibility by only supporting PFS suites. You can also add the good practice of having one, CRLs and/or two, OCSP in place,” Jain said. “Both are a bit expensive for handshakes, but can help in revoking compromised certs where the key exchange for a new session was not PFS protected.”

Nayyar warned companies against discounting the damage that such a persistent and wily opponent can do. “Civilian organizations will need to up their game if they don’t want to become the next headline.”

The post SolarWinds attackers suspected in Microsoft authentication compromise appeared first on SC Media.

This entry was posted in Email Security, Network Security, Security News. Bookmark the permalink.