The UK-based (Edinburgh) cyber security specialist, 7 Elements, has discovered a security vulnerability at the global cloud computing provider Rackspace. As part of incident response activities carried out on behalf of a client, 7 Elements is aware of this vulnerability being utilised in the wild to conduct business email compromise attacks with a view to obtain funds.
It is understood that until recently, all global Rackspace hosted email customers were vulnerable to the malicious use of their email domain by unauthorised actors. These clients included US federal agencies, UK local government, military, politicians, financial organisations and other high-profile individuals.
The vulnerability was discovered in July 2020 and resulted in the team at 7 Elements engaging within a responsible disclosure process with Rackspace at the start of August 2020.
John Moss, Senior Security Consultant at 7 Elements, said: “Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails, there’s obviously some serious questions to be answered by Rackspace if it was aware of this vulnerability and its exploitation resulted in reputational or financial loss for a business.”
The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com) authorised users. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send email on their behalf via DNS entries (denoting the use of SPFrecords) it can be used to form a viable attack vector. Those emails would be received by the recipient, pass email security checks and be identified as a legitimate sender. Malicious actors could utilise this functionality to conduct targeted phishing attacks or to masquerade as the chosen target domain, causing reputational damage.
Given the ability to leverage multiple accounts and pass security checks designed to reject spoofed emails, 7 Elements has called this the “SMTP Multipass” attack.
David Stubley, CEO at 7 Elements, added: “Cloud hosted email offers a cost effective and flexible approach to manage your corporate email requirements. However, the cloud is no different to the wider challenges of managing an organisation’s data securely. With these unique opportunities, unique risks will arise. In this case it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that the organisation could make an educated decision on how the vulnerability sat within the overall organisational risk appetite.”
Whilst supporting a client’s internal investigation into a targeted email compromise incident, 7 Elements worked with the client’s technical team to assess inbound emails. This collaborative approach identified that the malicious actor(s) involved with the business email attack was sending emails using Rackspace domains. They authenticated with a user account under a different domain, successfully spoofing Rackspace hosted email customers, bypassing SPF controls.
By using this approach, the malicious actor was able to bypass the clients email filters and was free to choose from a large pool of suitable domains that make use of Rackspaces’ private email offering. This prompted further investigation by 7 Elements, which ultimately identified that any customer of the hosted email service was vulnerable to this issue. Especially if their SPF record was set to pass emails from emailsrvr.com (as recommended by Rackspace).
A full technical explanation can be found on the following link (which will be live as of 09:00 on the 5th November 2020: https://www.7elements.co.uk/resources/blog/smtp-multipass/