Security researcher Sebastian Salla from CanIPhish.com has found 264 often well-known Australian corporations who have email security vulnerabilities.
Here is his blog:
My name's Sebastian Salla and I'm a Security Researcher who specialises in Cloud and Email Security. A couple of months ago I started looking into ways an attacker could compromise the email security of Australian organisations. Fortunately, I've created various toolings over the years (all of which are accessible at https://caniphish.com) which aided in this research.
I ultimately decided to see if I could impersonate Australian organisations while passing all email authentication checks. I started off by scanning a few hundred domains, which eventually led to me scanning 1.8 Million Australian domains. The outcome of this research would be to see if I can send SPF authenticated emails from the scanned domains and ultimately report the vulnerabilities back to those organisations affected.
To perform this scan, I would look up a domain and see if any of the IP addresses listed in their SPF records overlapped with the public IP ranges offered by Amazon Web Services (AWS). I then checked to see if I could take over any unused IPs. The results of the experiment were pretty eye-opening. I compromised the email supply chain of 264 Australian organisations, some of which are the most respected institutions in Australia.
The Scanning Process
The first challenge was to figure out how to gather up-to-date listings of Australian domains. To do this I used three methods GitHub. ASX200 and Sublist3r. Using a GitHub project called 'domains' I gathered around 99% of the domains that ended up being scanned. Some ASX200 domains were missed with the Github project - some businesses use a .com top-level domain (TLD) structure instead of .com.au. Finally, I ran Sublist3r which aggregates information from various open source intelligence sources to collect information on domains. I queried information on all domains that use .com.au, .org.au, .net.au, .edu.au and .gov.au as their TLD structure… and with that, I had my list of domains.
I quickly realised that extracting each domain's full email-sender supply chain (SPF record) one by one just wouldn't be feasible. I'd be I'm querying 6 SPF records per domain. That's 10.8 Million DNS requests! That's where Lambda functions came in. Lambda is an AWS cloud compute that runs code in a highly efficient manner and is designed exactly for my use case. I now had the ability to have the same piece of code running 100s of times concurrently. Each lambda function would scan 15 domains and save the results into a DynamoDB (NoSQL) database. I then kept the Lambda functions running for 25 hours!
After 25 hours, I exported the supply chain data and filtered it down to only the IP addresses associated with AWS' EC2 IP Address Pools. This gave me the idea of where I should focus my efforts: AWS' ap-southeast-2, eu-central-1, us-east-1, us-west-1 and us-west-2 regions.
Discovering available AWS IPs
Once the scan was complete I now needed to figure out how I could discover all of the available AWS IPs. To keep the costs down, I ran 50 t3a.nano EC2 instances across 5 regions and restarted them every minute. With each restart, the EC2 instances would get a new public IP and I'd then cross-reference the IP to all the IPs found during the email supply chain extraction process.
After 20 hours of restarting EC2 instances, I had a large enough sample set to begin trawling through the results. Keep in mind, AWS reserves 56,080,253 IPs for EC2 instances. That means I've only scanned just over 0.1% of the address space (approx. 1 in 1000 IPs), so I've barely scratched the surface!
Ultimately, I found I had compromised the email sender supply chain for 264 Australian organisations and to my shock, it contained some of the most respected institutions in Australia. These were a few that really stuck out:
- qtc.com.au (Queensland Treasury Corporation)
- mirvac.com (Mirvac - ASX200 Listed Company)
- charterhall.com.au (Charter Hall - ASX200 Listed Company)
- aph.gov (Australian Parliament House)
- usyd.edu.au (University of Sydney)
- sydney.edu.au (University of Sydney)
To validate that the vulnerabilities were real I sent myself a single test email, appearing to come from Australian Parliament House (aph.gov.au). The email passed all SPF and DMARC checks and went straight into my inbox - evading any spam filtering. This is in stark contrast to an otherwise flawlessly configured SPF - DMARC record for aph.gov.au, where the ultimate downfall is the inclusion of a single over-permissive IP address block. (wasn't sure how to re-write this)
What does this mean for the Organisations?
Each of the affected 264 organisations and their recipients is significantly more susceptible to phishing attacks and business email compromise (BEC). Anyone with a credit card can sign-up for an AWS account, find a desirable IP, request AWS to remove any SMTP restrictions and start sending SPF authenticated emails, masquerading as any of these organisations.
As an example of the possible impacts and risks, a parliamentary staffer could receive an email that appears to come from a Minister, or a student could receive an email from some posing as from university admissions. The recipients in these cases have a way to determine real emails from the fake, the risks involved in both these examples don't need to be spelt out considering the position and standing of the organisations involved.
This experiment reiterates the importance of organisations managing their email supply chain to ensure your organisation and downstream customers aren't introduced to unnecessary risks relating to email threats.
This blog originally appeared here.