3rd Party Risk Management , Account Takeover Fraud , Business Email Compromise (BEC)

Rackspace Hosted Email Flaw Actively Exploited by Attackers

Fraudsters Have Been Using SMTP Multipass Flaw for Business Email Compromise Schemes
Rackspace Hosted Email Flaw Actively Exploited by Attackers
Inside Rackspace's cybersecurity operations center (Photo: Rackspace)

Attackers have been actively exploiting a flaw in Rackspace's hosted email service to send phishing emails, bearing legitimate and validated domain names, as part of business email compromise scams.

See Also: How to Empower IT with Immutable Data Vaults

So warns 7 Elements, an IT security testing consultancy based in Edinburgh, Scotland, which says that attackers have been using what it's dubbed as an “SMTP Multipass" attack - SMTP refers to simple mail transfer protocol - since it's designed to subvert multiple accounts and bypass DNS-based defenses against spoofed emails. All organizations that use Rackspace's hosted email services appear to have been vulnerable to having their email domains get misused in this manner.

7 Elements says one of its clients was targeted using the attack, as part of a BEC scheme - aka CEO fraud effort - in July, after which it reported the problem directly to Rackspace.

Texas-based Rackspace is the world's largest managed cloud provider, and provides access to such cloud offerings as Amazon Web Services, Microsoft Azure and OpenStack.

The company has told at least some customers, including Information Security Media Group - a customer of Rackspace's hosted email service - that it aims to have a fix in place by the end of November.

But Rackspace did not immediately respond to multiple, additional questions concerning the flaw, including recommended mitigation steps pending a full fix, and for what length of time the flaw may have been getting exploited, or to what extent.

Required: Authenticated Access to Any Rackspace Account

Exploiting the flaw requires an attacker to have authenticated access to a Rackspace customer's instance, 7 Elements says in a blog post. With such access, an attacker can exploit the flaw to send emails as another Rackspace customer. Such emails "would be received by the recipient, pass email security checks and be identified as a legitimate sender," the firm says. "Malicious actors could utilize this functionality to conduct targeted phishing attacks or to masquerade as the chosen target domain, potentially causing reputational damage."

Organizations vulnerable to having their email domains get misused in this manner include not just ISMG, but also numerous other Rackspace customers, including multiple U.S. federal agencies, U.K. local government entities, military services and politicians, as well as high-profile individuals.

A sample of vulnerable email domains shared by 7 Elements include:

  • breitbart.com
  • cadbury.co.uk
  • gitlab.org
  • hackerwarehouse.com
  • honda.mx
  • nationalguard.com
  • marines.com
  • richmondindiana.gov
  • schneier.com
  • schwarzenegger.com
  • scorpioncomputerservices.com
  • 666casino.com

With ISMG's permission, 7 Elements was able to use the flaw to send an email to ISMG that spoofed a Rackspace customer domain, passed all security checks, and which appeared to be genuine.

Screenshot of a proof-of-concept email sent by 7 Elements from a test domain to a live domain (Source: 7 Elements)

Using technical details shared confidentially by 7 Elements, ISMG CTO Dan Grosu was able to confirm the findings, creating an independent proof of concept that leveraged multiple domains hosted by Rackspace for ISMG.

Rackspace has told ISMG, which raised the issue - as a customer - that its fix, hopefully arriving by the end of November, will update email hosting logic to restrict an authenticated user to only being allowed to send email from a domain tied to their Rackspace domain.

Separately, Rackspace has told 7 Elements that it began alerting customers about the flaw on Oct. 29, that it expects to begin rolling out fixes on Thursday, and conclude by the end of November.

Coordinated Disclosure

As noted, 7 Elements says one of its clients received a phishing email - tied to a BEC scheme - on July 20. After investigating, the firm said it was able to identify and reproduce the SMTP Multipass flaw about 10 days later.

“Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails," says John Moss, a senior security consultant at 7 Elements. "There are obviously some serious questions to be answered by Rackspace, if it was aware of this vulnerability, and its exploitation resulted in reputational or financial loss for a business."

In early August, after concluding the incident response engagement, 7 Elements said it began what turned out to be "productive communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure."

"Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails"
— John Moss, 7 Elements

Both organizations agreed a coordinated vulnerability disclosure date of Nov. 5, or more than 90 days after the flaw was reported. In mid-September, meanwhile, 7 Elements says Rackspace informed it that someone else had subsequently discovered and reported the flaw to it.

Technical Details

Specifically, the flaw subverts sender policy framework, or SPF, which is used to verify that an email has originated from a genuine sender, using a domain's DNS records to ensure that the IP address from which the email has been sent is doing so on behalf of the genuine domain, according to a full technical teardown of the flaw released by 7 Elements on Thursday.

"The flaw was the result of how the SMTP servers for Rackspace - emailsrvr.com - authorized users, combined with customers specifically authorizing these SMTP servers to send email on their behalf via DNS entries," as denoted by SPF records, "especially if their SPF record was set to pass emails from emailsrvr.com - as recommended by Rackspace," 7 Elements says.

Sample headers from a proof-of-concept email sent by 7 Elements to a live domain, which has been redacted.

One way to identify emails that have been sent using the flaw is to interrogate header information, the security firm says, "looking for an X-Auth-ID value that does not match the ‘from’ address," as well as “emailsrvr.com” being the sending email server. "The malicious actors we have found to be using this in the real world also made use of PHPmailer to send the email, although this would not be required to exploit the vulnerability," it adds.

PHPmailer is a code library designed to send emails from a web server. From an attacker's perspective, they could run the code on any server, including one to which they had gained illicit access.

"For our test, we used a trial account within Rackspace and set our domain to 7ei.cc," 7 Elements says. "A malicious actor could have done the same or as with the real-life cases we have investigated use compromised accounts."

How Long Has Flaw Existed?

With attackers actively exploiting the flaw, it's unclear how long Rackspace has known about the problem. "Cloud-hosted email offers a cost-effective and flexible approach to manage your corporate email requirements. However, the cloud is no different to the wider challenges of managing an organization's data securely," says 7 Elements CEO David Stubley.

"In this case it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that organizations could make an educated decision" about what degree of risk they might be willing to accept from their email hosting provider, he says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.