英国(爱丁堡)网络安全专家, 7元素, has discovered a security vulnerability at the global cloud computing provider Rackspace. As part of incident response activities carried out on behalf of a client, 7元素 is aware of this vulnerability being utilised in the wild to conduct business email compromise attacks with a view to obtain funds.
据了解,直到最近, all global Rackspace hosted email customers were vulnerable to the malicious use of their email domain by unauthorised actors. 这些客户包括美国联邦机构, 英国地方政府, 军事, 政客们, financial organisations and other high-profile individuals.
The vulnerability was discovered in July 2020 and resulted in the team at 7元素 engaging within a responsible disclosure process with Rackspace at the start of August 2020.
7元素高级安全顾问John Moss表示:
“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails, there’s obviously some serious questions to be answered by Rackspace if it was aware of this vulnerability and its exploitation resulted in reputational or financial loss for a business.”
The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com)授权用户. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send email on their behalf via DNS entries (denoting the use of SPF[1]记录),它可以用来形成一个可行的攻击向量. 收件人会收到这些邮件, pass email security checks and be identified as a legitimate sender. Malicious actors could utilise this functionality to conduct targeted phishing attacks or to masquerade as the chosen target domain, 造成声誉损害.
Given the ability to leverage multiple accounts and pass security checks designed to reject spoofed emails, 7元素将其称为“SMTP多通道“攻击.
7元素首席执行官David Stubley补充道:
“Cloud hosted email offers a cost effective and flexible approach to manage your corporate email requirements. 然而, the cloud is no different to the wider challenges of managing an organisation’s data securely. 有了这些独特的机遇,也就有了独特的风险. In this case it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that the organisation could make an educated decision on how the vulnerability sat within the overall organisational risk appetite.”
Background
Whilst supporting a client’s internal investigation into a targeted email compromise incident, 7元素 worked with the client’s technical team to assess inbound emails. This collaborative approach identified that the malicious actor(s) involved with the business email attack was sending emails using Rackspace domains. They authenticated with a user account under a different domain, 成功欺骗Rackspace托管的电子邮件客户, 绕过SPF控制.
通过使用这种方法, the malicious actor was able to bypass the clients email filters and was free to choose from a large pool of suitable domains that make use of Rackspaces’ private email offering. 这促使7元素进一步调查, which ultimately identified that any customer of the hosted email service was vulnerable to this issue. Especially if their SPF record was set to pass emails from emailsrvr.com (as Rackspace推荐).
A full technical explanation can be found on the following link (which will be live as of 09:00 on the 5th2020年11月:http://www.7元素.co.英国/资源/博客/ smtp-multipass /
披露时间表
- 20thJuly 2020 – client receives phishing email using this technique to achieve business email compromise (with intent to conduct financial fraud)
- ~30thJuly 2020 – 7元素 provides assistance to client’s internal team and collaboratively identify this technique and are able to reproduce it.
- 7th2020年8月——在完成事件响应工作之后, 7元素 confirmed with the client that the issue was to reported to Rackspace. 这个联系人是 security@rackspace.com.
- 7th2020年8月至25日thAugust 2020 – protracted communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure. Rackspace confirms that internally it is already aware of the exposure. Agreement to follow standard 90-day responsible disclosure window after a commitment by Rackspace to work toward fixing the issue.
- 15thSeptember 2020 – Rackspace provides 7元素 with an update to advise that another party has also discovered the exploit.
- 5th2020年11月——商定的披露日期.
*[1]Sender 政策 Framework (SPF) is a method used to verify that an email is coming from the genuine sender. This is done by using authorised sender email server IP addresses that can send mail on behalf of the domain. This is achieved through use of DNS records related to a domain.