listen to this article:
Mimecast reported yesterday (January 12, 2021) that attackers had compromised a certificate used to authenticate some Mimecast services to Microsoft 365 Exchange. They haven’t released many details, but it seems that the private key used to authenticate Mimecast products to Microsoft 365 was breached. Mimecast’s email security products scan emails in order to protect against spam, phishing, malware and ransomware. When using Microsoft 365 Exchange, their online email service currently in use by over a million companies worldwide, it is necessary to give Mimecast access to the organization’s emails in order to carry out the scanning.
That access is protected via a certificate (private key), and if that is stolen, then it means that an attacker can get the same access. That is a very dangerous situation. (I want to stress that given the very little amount of information provided by Mimecast, it’s hard to say exactly what access is provided by that certificate, so it’s hard to determine how severe the breach actually is. Nevertheless, it is clear from the response, that it is very serious.)
This is reminiscent of the recent SolarWinds Orion incident in that it is a supply chain attack. The attacker’s target was not Mimecast, but rather Mimecast’s customers. The stolen certificate can be used to break into numerous targets, and so this attack can be very effective.
Supply chain attacks are not new. In 2011, attackers broken into the RSA company and stole a database of secret keys used in their SecurID one-time password authenticators. This enabled attackers to impersonate any one-time password device and so bypass the strong authentication methods used by RSA customers. Initially, RSA played down the attack and its consequences. However, a few months later, they confirmed that the stolen secrets were used by attackers to break into Lockheed-Martin. It is widely believed that the attackers got their hands on significant parts of the plans of the F-35 fighter plane.
Back in 2011, such breaches appeared to be few and far between. However, as with general cybersecurity threats, they are growing in frequency and in severity.
These threats cause a serious dilemma for organizations. It is not possible to build all your own software or to verify that software that you buy has no security holes, nor is it possible to prevent any vendor that you work with from being breached. However, it is extremely ironic to be attacked via the supplier of your security software. Many organizations report that their biggest security concerns come from the vendors and companies that they work with and are connected to their networks. This is not surprising – it is something that almost feels out of control for the organization, and the ability of the organization to influence it is small.
Having said the above, as with everything in cybersecurity, although it is beyond our ability to completely prevent attacks, information is our friend and there is a lot that we can do. This starts with validating that the organizations that we work with not only take security seriously but also understand that, like anything else, you have to innovate and stay ahead of threats by understanding the landscape and solutions. This is certainly true of RSA and Mimecast, but there were a lot of indications that SolarWinds did not take security seriously and that is very unfortunate to say the least. Verifying this means going far beyond the checklist approach to security, as well as being willing to work with a vendor whose UI may not be as nice or whose price is higher, but who takes security seriously.
As a community, when this becomes the standard practice, then vendors will have no choice, and this will improve security for everyone. Unfortunately, I have seen multiple cases of very successful young SaaS companies with extremely poor security posture. My only interpretation of this is that their customers just don’t care (or know) enough to ask or are not willing to pay the price (if there is one) of going with someone else who has better security.
In addition to the above, it is important to analyze how external organizations connect to our infrastructure and to demand transparency as to what they exactly do. Recall that if they are breached then an attacker can do whatever they can. As a result, understanding these interconnections is crucial to an organization’s threat modeling. It also enables an organization to limit access to the bare minimum in order to minimize the effect of a breach if one happens.
Finally, I would be remiss to ignore the specific source of this attack on Mimecast, as well as in the cases of RSA and SolarWinds (at least in part). In all of these cases, as with many others, private cryptographic keys were stolen and this enabled the attackers to bypass the important security mechanisms they supported. Cryptography without strong key protection becomes weak, and so this (sometimes annoying and painful) issue must be given significant attention.