Rackspace Hosted Email Flaw Actively Exploited by AttackersFraudsters Have Been Using SMTP Multipass Flaw for Business Email Compromise Schemes
Attackers have been actively exploiting a flaw in Rackspace's hosted email service to send phishing emails, bearing legitimate and validated domain names, as part of business email compromise scams.
So warns 7 Elements, an IT security testing consultancy based in Edinburgh, Scotland, which says that attackers have been using what it's dubbed as an “SMTP Multipass" attack - SMTP refers to simple mail transfer protocol - since it's designed to subvert multiple accounts and bypass DNS-based defenses against spoofed emails. All organizations that use Rackspace's hosted email services appear to have been vulnerable to having their email domains get misused in this manner.
7 Elements says one of its clients was targeted using the attack, as part of a BEC scheme - aka CEO fraud effort - in July, after which it reported the problem directly to Rackspace.
Texas-based Rackspace is the world's largest managed cloud provider, and provides access to such cloud offerings as Amazon Web Services, Microsoft Azure and OpenStack.
The company has told at least some customers, including Information Security Media Group - a customer of Rackspace's hosted email service - that it aims to have a fix in place by the end of November.
But Rackspace did not immediately respond to multiple, additional questions concerning the flaw, including recommended mitigation steps pending a full fix, and for what length of time the flaw may have been getting exploited, or to what extent.
Required: Authenticated Access to Any Rackspace Account
Exploiting the flaw requires an attacker to have authenticated access to a Rackspace customer's instance, 7 Elements says in a blog post. With such access, an attacker can exploit the flaw to send emails as another Rackspace customer. Such emails "would be received by the recipient, pass email security checks and be identified as a legitimate sender," the firm says. "Malicious actors could utilize this functionality to conduct targeted phishing attacks or to masquerade as the chosen target domain, potentially causing reputational damage."
Organizations vulnerable to having their email domains get misused in this manner include not just ISMG, but also numerous other Rackspace customers, including multiple U.S. federal agencies, U.K. local government entities, military services and politicians, as well as high-profile individuals.
A sample of vulnerable email domains shared by 7 Elements include:
With ISMG's permission, 7 Elements was able to use the flaw to send an email to ISMG that spoofed a Rackspace customer domain, passed all security checks, and which appeared to be genuine.
Using technical details shared confidentially by 7 Elements, ISMG CTO Dan Grosu was able to confirm the findings, creating an independent proof of concept that leveraged multiple domains hosted by Rackspace for ISMG.
Rackspace has told ISMG, which raised the issue - as a customer - that its fix, hopefully arriving by the end of November, will update email hosting logic to restrict an authenticated user to only being allowed to send email from a domain tied to their Rackspace domain.
Separately, Rackspace has told 7 Elements that it began alerting customers about the flaw on Oct. 29, that it expects to begin rolling out fixes on Thursday, and conclude by the end of November.
As noted, 7 Elements says one of its clients received a phishing email - tied to a BEC scheme - on July 20. After investigating, the firm said it was able to identify and reproduce the SMTP Multipass flaw about 10 days later.
“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails," says John Moss, a senior security consultant at 7 Elements. "There are obviously some serious questions to be answered by Rackspace, if it was aware of this vulnerability, and its exploitation resulted in reputational or financial loss for a business."
In early August, after concluding the incident response engagement, 7 Elements said it began what turned out to be "productive communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure."
"Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails"
— John Moss, 7 Elements
Both organizations agreed a coordinated vulnerability disclosure date of Nov. 5, or more than 90 days after the flaw was reported. In mid-September, meanwhile, 7 Elements says Rackspace informed it that someone else had subsequently discovered and reported the flaw to it.
Specifically, the flaw subverts sender policy framework, or SPF, which is used to verify that an email has originated from a genuine sender, using a domain's DNS records to ensure that the IP address from which the email has been sent is doing so on behalf of the genuine domain, according to a full technical teardown of the flaw released by 7 Elements on Thursday.
"The flaw was the result of how the SMTP servers for Rackspace - emailsrvr.com - authorized users, combined with customers specifically authorizing these SMTP servers to send email on their behalf via DNS entries," as denoted by SPF records, "especially if their SPF record was set to pass emails from emailsrvr.com - as recommended by Rackspace," 7 Elements says.
One way to identify emails that have been sent using the flaw is to interrogate header information, the security firm says, "looking for an X-Auth-ID value that does not match the ‘from’ address," as well as “emailsrvr.com” being the sending email server. "The malicious actors we have found to be using this in the real world also made use of PHPmailer to send the email, although this would not be required to exploit the vulnerability," it adds.
PHPmailer is a code library designed to send emails from a web server. From an attacker's perspective, they could run the code on any server, including one to which they had gained illicit access.
"For our test, we used a trial account within Rackspace and set our domain to 7ei.cc," 7 Elements says. "A malicious actor could have done the same or as with the real-life cases we have investigated use compromised accounts."
How Long Has Flaw Existed?
With attackers actively exploiting the flaw, it's unclear how long Rackspace has known about the problem. "Cloud-hosted email offers a cost-effective and flexible approach to manage your corporate email requirements. However, the cloud is no different to the wider challenges of managing an organization's data securely," says 7 Elements CEO David Stubley.
"In this case it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that organizations could make an educated decision" about what degree of risk they might be willing to accept from their email hosting provider, he says.