SMTP Multipass

In July 2020 7 Elements discovered a vulnerability in Rackspace that exposed all its global hosted email customers to the potential malicious use of their email domain by unauthorised actors. Malicious actors had the ability to leverage multiple accounts and pass security checks designed to detect spoofed emails. This was utilised in the wild to conduct targeted phishing attacks.

7 Elements has called this the “SMTP Multipass” attack.

The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com) authorised users. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send email on their behalf via DNS entries (denoting the use of SPF records), it can be used to form a viable attack vector.

This allows an attacker, authenticated under one customer account to send emails as another customer. Those emails would be received by the recipient, pass email security checks and be identified as a legitimate sender. Given this, malicious actors could use this to masquerade as a chosen target domain, potentially causing reputational damage.

The vulnerability was discovered by the 7 Elements team through our incident response service back in July 2020. 7 Elements engaged with Rackspace, through our responsible disclosure process, at the start of August 2020.

The Incident

Whilst supporting a client’s internal investigation into a targeted email compromise incident, our team and the client’s technical team worked together to assess inbound emails. This collaborative approach identified that the malicious actor(s) involved with the business email attack was sending emails using Rackspace customer domains. However, it was noted that when doing so the actor(s) authenticated with a user account under a different domain, successfully spoofing Rackspace hosted email customers, passing SPF controls.

By using this approach, the malicious actor was able to bypass the clients email filters and was free to choose from a large pool of suitable domains that make use of Rackspace’s hosted email offering.

This prompted further investigation by the 7 Elements team, which ultimately identified that any customer of the hosted email service was vulnerable to this issue. This was especially the case if their SPF records were set to pass emails from emailsrvr.com (as recommended by Rackspace). Based upon conversations with Rackspace, our understanding is that all customers of the hosted email service were vulnerable. Clients included US federal agencies, UK local government, military, politicians, financial organisations and high-profile individuals.

Force Multiplier

In this instance, two individual issues combine to have a greater impact. The first is the vulnerability within the Rackspace hosted email service that allows an authenticated user of the platform to send emails as any domain (including those that also use the service). The second is in how DNS entries configured by legitimate customers of Rackspace specifically authorised the affected Rackspace SMTP servers (emailsrvr.com) for the purpose of sending emails on behalf of that domain. So, any email coming from that IP on behalf of that domain is de facto authorised. The following image shows such an email:

Screenshot showing a POC email sent as another domain

In the Wild

As stated earlier, we are already aware of this vulnerability being utilised in the wild. With our internal POC scripts, it was a trivial exercise to identify vulnerable domains and then using a single account, authenticate to the SMTP server and send emails from those other domains. From an investigation point of view, as the email will appear to be legitimated (passing SPF security checks), the email headers would need to be interrogated for specific traits as outlined below:

Date: Thu, 24 Sep 2020 14:02:18 +0000
To: 7 Elements <contact-us@7elements.co.uk>
From: Finance <finance@**redacted**.com>
Reply-To: Finance <finance@**redacted**.com>
Subject: SMTP Multipass

X-Mailer: PHPMailer 6.1.7 (https://github.com/PHPMailer/PHPMailer)
Received-SPF: Pass (protection.outlook.com: domain of **redacted**.com designates
146.20.161.126 as permitted sender) receiver=protection.outlook.com;
client-ip=146.20.161.126; helo=smtp126.iad3b.emailsrvr.com;
X-Auth-ID: john@7ei.cc
Authentication-Results: spf=pass (sender IP is 146.20.161.126)
smtp.mailfrom=**redacted**.com; 7elements.co.uk; dkim=none (message not signed)
header.d=none;7elements.co.uk; dmarc=pass action=none
header.from=**redacted**.com;compauth=pass reason=100
Received: from smtp126.iad3b.emailsrvr.com (146.20.161.126) by
HE1EUR02FT008.mail.protection.outlook.com (10.152.10.77) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3412.21 via Frontend Transport; Thu, 24 Sep 2020 14:02:20 +0000

Example email header with highlighted fields of interest.

Please note, the sample headers above are from one of our test emails against a live domain (hence the redacted content). The key header fields of interest are highlighted to show the email ‘from’ and ‘to’ as well as various checks being passed. 

Specifically, to identify this exploit we are looking for an X-Auth-ID value that does not match the ‘From’ address (usually at the domain level). In addition, the sending server “emailsrvr.com” indicates Rackspace being the sender. The malicious actors we have found to be using this in the real world also made use of PHPmailer to send the email, although this would not be required to exploit the vulnerability.

For our test, we used a trial account (7ei.cc) within Rackspace to send an email as another domain that had the relevant SPF records. A malicious actor could have done the same or as with the real-life cases we have investigated use compromised accounts.

Summary

As you can see, the main impact of this vulnerability would be with a malicious actor being able to send emails as any domain using the Rackspace hosted email solution, and one we have already seen in use by malicious actors with a focus on business email compromise attacks.

By sending email as another domain, the malicious actor can leverage the trust of that brand to coerce clicking on a link for a phishing style attack or potentially using the domain to send content that could result in reputational damage or even financial fraud though malicious invoicing-based attacks.

Disclosure Timeline

  • 20th July 2020 – Client receives phishing email using this technique to achieve business email compromise (with intent to conduct financial fraud).
  • ~30th July 2020 – 7 Elements provides assistance to client’s internal team and to collaboratively identify this technique and are able to reproduce it.
  • 7th August 2020 – After finishing up our incident response effort we confirmed with the client that they would like us to report the issue to Rackspace. This contact is made to security@rackspace.com.
  • 7th August 2020 to 25th August 2020 –  Communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure. Rackspace confirms that internally they are already aware of the exposure. Agreement to follow standard 90-day responsible disclosure window after a commitment by Rackspace to work toward fixing the issue.
  • 15th September 2020 – Rackspace provide 7 Elements with an update to advise that another party has also discovered the exploit and notified them.
  • 3rd November 2020 – Rackspace provide 7 Elements with an update to advise that customer-specific communications went out on the 29th October to advise of the issue, with a fix planned to start on the 5th November 2020.
  • 5th November 2020 – Agreed disclosure date.

 

 

Image credit: Waverley Jane Media

 

7 Elements are now a CREST accredited company

7 Elements achieves CREST (The Council for Registered Ethical Security Testers) company accreditation in recognition of our professional penetration testing services.

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals.

Company accreditation builds upon our long-term commitment to professional certifications for our testing team, many of whom hold either CREST Registered Tester (CRT) or CREST Certified Tester CCT) status.

More information on our penetration testing services can be found here.

Zooming in on security

The business landscape has undergone a sudden, drastic shift to remote access, in order to cope with the current social isolation requirements. Commensurately, the usage of video conferencing applications has skyrocketed. Perhaps the video conference tool that has most benefited from this change in business model is Zoom. The company has seen a huge boost in popularity, with reports of up to a 535% increase in traffic[1].

Wide adoption can help reduce the burden of continued operations challenges faced by a company, and a simple, reliable and flexible platform is an IT teams dream. In spite of this, a number of security concerns persist within the Zoom platform, which should be taken into account when looking to implement within an organisation’s operations.

Challenges in vulnerability remediations

The core security concerns raised around the Zoom platform to date, related to the ability to perform video-chat hijacking, insufficient end-to-end encryption, and a number of recently discovered vulnerabilities within the client installed on a user’s device. One issue previously identified within the software, related to privilege escalation on Mac OSX device, which may be leveraged to achieve malicious code execution, or in the case of a malicious actor, be used as an entry point into an organisation’s wider infrastructure. Another concern related to sensitive information disclosure that may be allow an attacker to manipulate a user into leaking their user credentials inadvertently[2].

Ever Evolving Threats

While these issues had been previously identified and were obviously a concern for people using the platform, with such a significant increase in user base, this has led to security researchers and malicious actor seeking to identify attack vectors within the software to target users. This has resulted in three Zero-Day vulnerabilities in the software being identified and publicised during the first 3 days of April 2020. The first two vulnerabilities[3] may allow an attacker to inject malicious code within a Zoom installer to achieve privilege escalation. This may be used in tandem with other attack vectors such as a phishing attack to target individuals or organisations.

Another vulnerability identified may allow a malicious actor to perform a malicious code injection attack that would give the attacker equivalent access rights to that of the Zoom application, meaning they would be able to intercept and spy on users via the microphone and web cam used as part of the chat.

The final issue, which was raised publicly on April 3rd 2020[4], related to the use of inadequate data encryption, which appeared to be an in-house implementation. It is highly recommended to avoid ‘rolling your own’ cryptography implementation and to use established and comprehensively reviewed methods that are widely available. The encryption implementation Zoom use was determined to contain flaws which in some instances may allow encrypted data that has been intercepted to be decrypted.

Slow start, but a rapid response

While Zoom have acknowledged the presence of these issues and have announced publicly that they are in the process of resolving them, concerns persist about the nature of their ongoing security activities and processes. Security researchers have been critical previously of the response times between disclosure of bugs and remediation by the company. On March 30th 2020, New York’s attorney General, Letitia James, contacted the company requesting an outline of the security measures that Zoom are undertaking to resolve these issues, as well as safeguard the platform, particularly due to the swell in its user base[5]. Zoom published an open letter on their public blog detailing the steps they have taken already, as well as steps they will be taking over the next 90 days to improve the security posture of the platform as a whole.[6]

The steps highlighted will include a freeze on new features to allocate developers to resolving open security issues and platform hardening. They intend to engage with third parties such as security architects and penetration testing firms to perform audits and security assessments on the platform, enhancing their existing bug bounty platform and employing methods of transparency with users to allow them to understand what is done with their data, and whom it may be shared with. They have also released security fixes for Mac OSX and Microsoft Windows clients to remediate a number of the vulnerabilities publicised.

In reality, while the flaws raised publicly so far are concerning, they should be considered in context. Many of them require at least a low privileged user account on local devices, which may significantly reduce the likelihood of a successful device compromise, unless another attack is successful to gain that initial access. In the matter of the encryption implementation, the significant resources required for a successful attack to be performed make it a fairly low risk attack vector, and the majority of users would be unlikely to be legitimate targets.

Conclusion

As with any adoption of new conferencing technology during this period of change, organisations should ask themselves if they are comfortable with what is being discussed over the conferencing platform and what adverse impact could intentional or unintentional disclosure of that content cause the business.

Further consideration should be given to any risks that the installation of software could bring to the integrity of end point devices. While Zoom are now clearly in the headlights, and will undoubtably take additional steps to assure organisations that they can deliver, so the increased attention is likely to result in further security concerns being identified.

 

Matthew Linney (Senior Consultant)

 

References:

[1] https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing

[2] https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/

[3] https://objective-see.com/blog/blog_0x56.html

[4] https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

[5] https://www.digitaltrends.com/news/new-york-attorney-general-is-latest-to-question-zooms-privacy/

[6] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

 

 

Scottish Business Hub

The team here at 7 Elements are proud to be a supporter of the Scottish Business Hub.

The hub, created by ScotlandIS with support across industry, offers as many of Scotland’s digital technologies resources as possible to businesses either free of charge or at discounted rates. It provides Scottish businesses with essential digital tools to support rapid transformation at this challenging time.

As part of this we will provide free cyber incident triage calls for all SMEs within the Scottish business economy during #COVID-19. This could range from advice and guidance on how to deal with a ransomware attack or business email compromise, through to a hacked web site or computer virus.

Further information on our approach to cyber incidents can be found here: https://www.7elements.co.uk/services/incident-response/

If you have an ongoing cyber incident call our triage team on 0131 235 2901

Keeping the Show on the Road

With the onset of the current COVID-19 pandemic, causing huge operational shifts for organisations, their IT operations will have to adapt in kind. Not only will organisations need to maintain their current legacy operations, they may need to leverage new tools to enable remote working. As a result, tools such as VPNs to access internal resources, or new cloud environments may be deployed to allow for operations to continue. Malicious actors, such as those focused on ransomeware or business email compromise may take any opportunity presented to them to cause negative impact. Given this, it is paramount that organisations take the time to ensure that they continue to maintain good cyber security hygiene while managing the wider risks associated to both employees and the wider business by COVID-19.
The following guidance looks at a number of core cyber security controls that should be maintained to help organisations weather the current storm.

Vulnerability Management

The first of these priorities should be to ensure that organisations continue to download and install software security updates upon release. A comprehensive patching policy, that includes operating systems and third-party software must be a cornerstone of an organisations security policy. Ensuring that potentially exploitable vulnerabilities within software are minimised and resolved as soon as possible can significantly reduce one of the primary attack vectors malicious actors will seek to target.
On some occasions, security patches may introduce bugs into the operation of that software. As a result, it is recommended that where the business has capacity, it should install these patches in a test environment to verify the stability of the software once the patches are installed, before issuing to the wider estate.

Data Backup

Another priority should be ensuring that all sensitive and important business data is adequately backed up. A robust backup mechanism, that stores current data for a short-term in one location, before appending to a longer-term, more comprehensive back up solution would ensure that multiple disaster recovery scenarios are prepared for. Especially in terms of dealing with ransomware attacks.
In the event of sudden data loss, the short term backups can be rolled out, reducing the need for operational downtime. Equally, in the event of a breach, the data can be rolled back from the longer term solution to a time before the breach occurred, removing the potential for loss of data integrity and providing a measure of non-repudiation.
Consideration should be given to ensuring that any new technology deployed (such as cloud based solutions) to enable the organisation deal with changes to working patterns are included within their backup requirements. A key question to ask, would be “Do any changes we have implemented altered where our sensitive data is held?”

Changes to the network perimeter

Due to the current government advisory of social isolation, the number of remote workers within organisations has skyrocketed. This places higher burdens on the existing remote access solutions such as VPNs to access internal resources, or forces organisations to deploy new solutions to allow access remotely. This can pose a number of risks, such as exposing services to the internet that may not have been appropriately configured. Another issue may relate to the use of outdated software if this solution has been in place for some time. Any new or existing software should be deployed to adhere to recommended good practices, such as those provided by the National Cyber Security Centre (NCSC) as part of their End User Device Security guide. https://www.ncsc.gov.uk/collection/end-user-device-security?curPage=/collection/end-user-device-security/eud-overview/vpns

Robust Password Policy

Another significant security control that must remain a focus is a robust password policy, with multi-factor authentication enforced where possible, especially where new services are being stood-up in short timescales. Modern password cracking ‘rigs’ designed to attempt to bruteforce password hashes, cloud computing resources that can be scaled up as needed to target user accounts in a number of ways or generic password guessing/brute-forcing attacks are all common attack vectors. Enforcing a strong password requirement, such as those laid out by NCSC (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) or the National Institute of Standards and Technology (NIST).
An example of NCSC’s current advise on user password creation is to allow users to use three random words as a password. That should be easy for a user to remember, but difficult for an attacker to guess, while typically being of a sufficient length to make password cracking very difficult.

Enable MFA Everywhere

Multi-Factor Authentication (MFA) can further reduce the likelihood of a successful account compromise. Other solutions may be to use enterprise Single Sign-On (SSO) solutions that are designed to reduce the number of passwords a user must remember, while allowing for access to multiple applications and services. This can allow for a stronger password to be set without the confusion of multiple passwords to manage.

Phishing Awareness

With the increase in remote working, comes the decrease in the ability for the workforce to communicate face to face. As a result, the number of emails received is likely to increase. While email security is a fairly broad topic, with a number of security controls that can be implemented, it is often the human factor that leads to issues. Phishing attacks have become more and more sophisticated, with methods to evade technical controls constantly being discovered. As a result, training plans that aid all users with identification of potentially malicious emails, as well as the process to report them, is often a crucial piece of the puzzle. This training will need to be ongoing to ensure that emerging threats and trends are taught to staff to help them with this.
 

Conclusion

While organisational IT operations are forced to change and evolve due to the current challenges faced by society, the core security practices we have laid out should not be neglected and ignored. They are as crucial to an organisations ongoing security now as they were a year ago. Many organisations will already have these practices implemented, while a number will still need to adopt them. Whether just rolled out, or implemented and in use for several years, auditing and security testing is vital to verifying that the controls implemented do as intended, and identifying any gaps in the control.

David Stubley (CEO) and Matt Linney (Senior Security Consultant), 7 Elements

7 Elements expands with new office

2020 is already proving to be a good year for the team, as 7 Elements continues to grow with the addition of a new office in Leicester.

The technical team based out of the new office will be led by Senior Security Consultant, John Moss, who said, “We have a great technical team working from our new office, a number of which are graduates of the cyber security course here at DMU and I am really excited to continue to build local relationships.”

The team has already hit the ground running, with recent engagements ranging from penetration testing of a business with over 15,000 clients and 30 million users, as well as incident response capability as part of multi-million pound cyber breach.

“As we enter our 10th year, the company continues to grow in strength, with the addition of our managed vulnerability service Clarus – https://clarussecurity.io and now a permanent team in Leicester to manage the increased demand in England for our security testing and incident response services.” says CEO David Stubley.

BEC Attacks via LinkedIn Email

A new business email compromise (BEC) based campaign using compromised LinkedIn profiles to deliver content was identified by the team at 7 Elements today (7th November 2019).

The campaign uses LinkedIn email to deliver a message enticing the user to follow a link, which would result in the user being prompted for credentials. The phishing kit is complex in nature, supporting multiple email providers such as Office 365, Gmail and Hotmail. Analysis of the kit also showed inbuilt defensive capabilities designed to disrupt investigation by security vendors.

The following video demonstrates how an end user could be enticed to provide their email credentials via this campaign:

The campaign started at 07:03hrs on the 7th November 2019 and was still active at the point of publishing this advisory at 21:45hrs (14hrs later). In this period there had been over 1,900 visits to the phishing site, with 670 (35%) of those from the UK.

More detailed analysis of the phishing kit will follow in a later post.

 

CyberIsle2019

October the 23rd saw the inaugural Isle of Man Government Cyber Security Conference – ‘CyberIsle 2019‘, where our CEO David Stubley was invited to speak on the subject of Business Email Compromise (BEC).

The talk covered the motivations for malicious actors looking to conduct such attacks, the anatomy of a successful attack and then three case studies based upon real life incidents that the team here at 7 Elements have managed for our clients.

The talk finished with mitigation advice that can be deployed by any organisation to reduce the risk of a successful compromise. The following document provides an overview of BEC and the core content from the presentation:

Anatomy of a BEC Attack – Release

The talk also looked at how malicious actors can gain credentials via attacks against externally facing infrastructure, such as Virtual Private Network (VPN) devices. More information on this can be found here: http://www.7elements.co.uk/resources/research/exploit-script-cve-2018-13379/

If you would like to discuss how to gain assurance over cloud based email solutions such as Office 365 then please get in touch with the team.

Exploit Script for CVE-2018-13379

While conducting further analysis of the path traversal vulnerability within the FortiOS SSL VPN web portal, the team at 7 Elements created a script to enumerate vulnerable hosts and extract sensitive information such as user names and passwords.

The following video shows the tool in action with the ability to scan multiple hosts (the script used for the purpose of the video masks sensitive information):

Using the script it was possible to enumerate ~200k hosts globally, identifying around 20,000 vulnerable hosts and extract over 60,000 credentials (further blog post to follow).

Both the NSA and NCSC have recently posted advisories alerting on the use of this vulnerability by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments.

Over three weeks prior to the advisories, the team here at 7 Elements identified that what was then being reported as a medium level risk issue, was in fact a critical impact issue. More on that can be found here.

Today we have released a  version of the script that is limited to a single IP/Host to enable testing against devices owned by the individual running the script. The tool can be downloaded here.

 

CYBERISLE 2019

CYBERISLE 2019 is the Isle of Man government’s flagship cyber security event.

Hosted by the Office of Cyber Security & Information Assurance (OCSIA), CYBERISLE 2019 features world-class speakers, solutions and opportunities for interaction between the public and private sectors. The event is free to attend and will be at the Royal Hall, Villa Marina, Douglas, Isle of Man on the 23rd October 2019.

As part of the event, our CEO, Dave Stubley will deliver a talk on Protecting the Enterprise: Business Email Compromise.

Talk Introduction:

What does a successful compromise of an organisations email system look like and what can we do to protect ourselves?

A recent study by the U.S. Treasury Department revealed that business email compromise scams were costing U.S. companies more than $300 million a month, and the FBI warned that the total financial loss globally due to BEC attacks is at least $12.5 billion. Closer to home: UK’s National Cyber Security Centre (NCSC) reported that BEC attacks cost UK businesses £32 million (in 2017/18).

This talk will use real-life case studies from recent incidents to dissect the anatomy of a modern Business Email Compromise (BEC) attack, from current attack trends to mailbox manipulation and exfiltration of sensitive data through to onward compromise of new mailboxes. Building on this knowledge we will then explore easy to implement mitigation strategies.

For more information about CYBERISLE 2019 and to register, please visit the events page here.