The UK-based (Edinburgh) cyber security specialist, 7 Elements, has discovered a security vulnerability at the global cloud computing provider Rackspace. As part of incident response activities carried out on behalf of a client, 7 Elements is aware of this vulnerability being utilised in the wild to conduct business email compromise attacks with a view to obtain funds.
It is understood that until recently, all global Rackspace hosted email customers were vulnerable to the malicious use of their email domain by unauthorised actors. These clients included US federal agencies, UK local government, military, politicians, financial organisations and other high-profile individuals.
The vulnerability was discovered in July 2020 and resulted in the team at 7 Elements engaging within a responsible disclosure process with Rackspace at the start of August 2020.
John Moss, Senior Security Consultant at 7 Elements, said:
“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails, there’s obviously some serious questions to be answered by Rackspace if it was aware of this vulnerability and its exploitation resulted in reputational or financial loss for a business.”
The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com) authorised users. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send email on their behalf via DNS entries (denoting the use of SPF[1]records) it can be used to form a viable attack vector. Those emails would be received by the recipient, pass email security checks and be identified as a legitimate sender. Malicious actors could utilise this functionality to conduct targeted phishing attacks or to masquerade as the chosen target domain, causing reputational damage.
Given the ability to leverage multiple accounts and pass security checks designed to reject spoofed emails, 7 Elements has called this the “SMTP Multipass” attack.
David Stubley, CEO at 7 Elements, added:
“Cloud hosted email offers a cost effective and flexible approach to manage your corporate email requirements. However, the cloud is no different to the wider challenges of managing an organisation’s data securely. With these unique opportunities, unique risks will arise. In this case it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that the organisation could make an educated decision on how the vulnerability sat within the overall organisational risk appetite.”
Background
Whilst supporting a client’s internal investigation into a targeted email compromise incident, 7 Elements worked with the client’s technical team to assess inbound emails. This collaborative approach identified that the malicious actor(s) involved with the business email attack was sending emails using Rackspace domains. They authenticated with a user account under a different domain, successfully spoofing Rackspace hosted email customers, bypassing SPF controls.
By using this approach, the malicious actor was able to bypass the clients email filters and was free to choose from a large pool of suitable domains that make use of Rackspaces’ private email offering. This prompted further investigation by 7 Elements, which ultimately identified that any customer of the hosted email service was vulnerable to this issue. Especially if their SPF record was set to pass emails from emailsrvr.com (as recommended by Rackspace).
A full technical explanation can be found on the following link (which will be live as of 09:00 on the 5thNovember 2020:https://www.7elements.co.uk/resources/blog/smtp-multipass/
Disclosure timeline
- 20thJuly 2020 – client receives phishing email using this technique to achieve business email compromise (with intent to conduct financial fraud)
- ~30thJuly 2020 – 7 Elements provides assistance to client’s internal team and collaboratively identify this technique and are able to reproduce it.
- 7thAugust 2020 – after completing an incident response effort, 7 Elements confirmed with the client that the issue was to reported to Rackspace. This contact is made to security@rackspace.com.
- 7thAugust 2020 to 25thAugust 2020 – protracted communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure. Rackspace confirms that internally it is already aware of the exposure. Agreement to follow standard 90-day responsible disclosure window after a commitment by Rackspace to work toward fixing the issue.
- 15thSeptember 2020 – Rackspace provides 7 Elements with an update to advise that another party has also discovered the exploit.
- 5thNovember 2020 – agreed disclosure date.
*[1]Sender Policy Framework (SPF) is a method used to verify that an email is coming from the genuine sender. This is done by using authorised sender email server IP addresses that can send mail on behalf of the domain. This is achieved through use of DNS records related to a domain.