Hackers Use Respected Cloud Hosting Provider Rackspace Email Flaw to Spam Victims
Table of Contents
- By Dawna M. Roberts
- Published: Nov 06, 2020
- Last Updated: Mar 18, 2022
DataBreachToday reported this morning that Texas-based Rackspace, a large, respected cloud hosting provider, had been the victim of hacker exploits for an unknown period of time. Cybercriminals have been exploiting an SMTP Multipass Flaw in their hosted email service to send out phishing emails using legitimate domains belonging to Rackspace customers.
The Technical Details
According to 7 Elements, an Edinburgh, Scotland, IT security company hackers have been using an “SMTP Multipass” cyber attack and all of Rackspace’s customers with hosted email are at risk of being abused. 7 Elements discovered this flaw after one of its clients was attacked. They immediately reported the (BEC scheme - CEO fraud) in July to Rackspace.
Rackspace responded by informing customers that it intends to fix the problem sometime this month. However, when questioned about the issue, Rackspace declined to comment further. Speculation is running high about how long this flaw has been in place and how much damage hackers have caused using it.
What is SMTP?
SMTP stands for simple mail transfer protocol and is one of many transfer vehicles that carries email across networked systems. SMTP is part of the TCP/IP protocol used to store and forward email using an MTA (Mail Transfer Agent). Using SMTP, your email doesn’t move in one single event; it may take a few steps to get it to its intended destination. Messages may even be broken up into data packets and then reassembled upon arriving at the other end. SMTP cannot transfer fonts, graphics, attachments, etc. but it does handle simple text. SMTP also limits the number of emails that a server can handle within one hour.
How Does the SMTP Multipass Exploit Work?
To use a Rackspace customer email account, the user must have authenticated access, meaning they have to log in to an account with the proper credentials. Once a hacker gains access, they can send emails through the customer’s account as though they were them. Because they are using the person’s actual email account, nothing would flag the suspicious phishing emails as fraudulent or spam. Unfortunately, for the customer, it could cause real damage to their reputation and endanger their vendors, customers, and clients. Rackspace is a global cloud provider, and according to DataBreachToday, its customers include “multiple U.S. federal agencies, U.K. local government entities, military services, and politicians, as well as high-profile individuals.”
A list of some of the abused domains (provided by 7 Elements) are:
- “breitbart.com
- cadbury.co.uk
- gitlab.org
- hackerwarehouse.com
- honda.mx
- nationalguard.com
- marines.com
- richmondindiana.gov
- schneier.com
- schwarzenegger.com
- scorpioncomputerservices.com
- 666casino.com”
As reported in the article, 7 Elements used the flaw to duplicate the hacker’s process and spoof emails from a legitimate account.
The exploit works by tricking SPF (sender policy framework), which verifies a genuine sender using DNS records and the IP address. Therefore, if threat actors log into someone’s account and send mail directly from there, the SPF detection will believe that is it legitimate, regardless of the content.
7 Elements explains it as, “The flaw was the result of how the SMTP servers for Rackspace - emailsrvr.com - authorized users, combined with customers specifically authorizing these SMTP servers to send email on their behalf via DNS entries,” as denoted by SPF records, “especially if their SPF record was set to pass emails from emailsrvr.com - as [recommended by Rackspace](https://docs.rackspace.com/support/how-to/dns-record-definitions#txt-record) .”
Security experts can examine an email header to see if someone used the flaw to send it.
Rackspace’s Response
Back in August, John Moss of 7 Elements contacted Rackspace to alert them of the problem. “Our investigation showed that this vulnerability was being actively exploited by at least one malicious actor to spoof emails,” he said. Moss continued with, “There are obviously some serious questions to be answered by Rackspace, if it was aware of this vulnerability, and its exploitation resulted in reputational or financial loss for a business.”
A spokesperson for Rackspace told ISMG (a Rackspace customer) that they will be rolling out the fix within the next couple of weeks and that it will “update email hosting logic to restrict an authenticated user to only being allowed to send email from a domain tied to their Rackspace domain.”
Although Rackspace agreed to a joint vulnerability disclosure to release for November 5, they also told 7 Elements that another party had also discovered the issue and reported it to them earlier.
David Stubley of 7 Elements commented that “In this case, it would appear that Rackspace had decided to make a risk decision on behalf of its customers, rather than informing them of the issue so that organizations could make an educated decision,” meaning they could choose to find other hosting.
