A security certificate issued by Mimecast Services Ltd. that’s used to authenticate some of the company’s products with Microsoft Corp. 365 Exchange Web Services has been hacked.

The certificate, issued to some Mimecast customers to authenticate Mimecast Sync and Recover, Continuity Monitor and IEP products, was targeted by a “sophisticated threat actor” the company said in a blog post today. Approximately 10% of Mimecast’s customers use the certificate, with only a low single-digit number of customer Microsoft 365 tenants being targeted. Mimecast learned of the compromise from Microsoft.

The compromise of a security certificate would allow an attacker to take over a connection, delivering the ability to read and modify encrypted data, in this case, inbound and outbound email. The access could also be potentially used to gain access to a customer’s Microsoft 365 Exchange Web Service to steal further information.

Mimecast is advising affected customers to immediately delete the existing connection with their Microsoft 365 tenant and re-establish a new certificate-based connection using a newly issued certificate that has been made available. “Taking this action does not impact inbound or outbound mail flow or associated security scanning,” Mimecast noted.

The company also said that it has engaged a third-party forensics expert to assist in their investigation and will work closely with Microsoft and law enforcement as appropriate.

“Once an organization has been breached, all of the organization’s digital certificates (ones the organization owns and has private keys for) should be destroyed and recreated as it is nearly impossible to know with certainty that the attacker has not stolen the private keys,” Oliver Tavakoli, chief technology officer at threat detection and response firm Vectra AI Inc., told SiliconANGLE. “If the attacker compromises a server, steals the private key for a certificate and then restores the server to its original state, the server will appear to have escaped the breach, but the attacker can now use the private key to perform any actions that the certificate entitles.”

Tavaloki added that the incident underlines the importance of protecting private keys, since in many cases they should be regarded in the same manner as privileged accounts. “Secure storage using an HSM, or other secure enclaves together with an audit log of usage, is an absolute necessity,” he said.

Although those behind the hack have not been named, Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., believes that the attack appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies.

“This shows the skill and tenacity state and state-sponsored actors can bring to bear when they are pursuing their agenda,” Nayyar noted. “Against this sort of opponent, civilian organizations will need to up their game if they don’t want to become the next headline.”

Image: Mimecast