in and around property/financial services), there was an extreme risk to Australian individuals in the form of business email compromise attacks,” said Salla. “Given the position many of these organizations are in (i.e. Salla found that 190 organizations were impacted by the MSP’s SPF oversight, including city councils, financial services firms, freight service companies, legal firms, and construction companies.
Salla sent himself an email purporting to be from a city council that passed email authenticated checks ‘Extreme risk’ Organizations stipulate a list of IP addresses that are authorized to send emails on their behalf within their SPF record, which is published on their DNS.Įmails purporting to come from the organization that originate from an IP address not listed in its SPF record will therefore be flagged as suspicious. The Senders Policy Framework (SPF) is an email authentication mechanism designed to detect fraudulent emails that are ostensibly sent on behalf of legitimate entities. “You can cross-reference these address blocks against AWS’ public IP ranges file to see the issue,” added Salla. “Because the MSP added every single AWS /16 address block in Australia to the SPF record of each organization, any Amazon Web Services (AWS) user could spin up a virtual machine and send authenticated emails as though they come from these organizations,” Salla told The Daily Swig.Īccording to a blog post published by Salla today (December 1), attackers merely had to acquire any of the many SPF-compliant IP addresses that were not under the control of the target organization in order to pass SPF and DMARC authentication checks. The MSP in question, the Precedence Group, had “unfortunately added an extremely over-permissive SPF DNS record to each of the domains”, Sebastian Salla, CEO of CanIPhish and cloud security architect at Palo Alto Networks, told The Daily Swig.ĭON’T FORGET TO READ HTML smuggling: Fresh attack technique increasingly used to target banking sector Now fixed, the problem was traced to a managed service provider (MSP) that designed the organizations’ websites and managed their Domain Name Server (DNS) and email infrastructure. Mail servers readily hijacked due to MSP oversightĮmail authentication checks could be hoodwinked by phishing emails impersonating nearly 200 Australian organizations due to a vulnerability discovered more than two years after its conception.
0 kommentar(er)
