Attacks/Breaches

5/25/2017
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Split Tunnel SMTP Exploit Bypasses Email Security Gateways

Attackers can inject malicious payloads directly to email server via email encryption appliances, Securolytics says.

Many organizations, especially in sectors like healthcare, use onsite or hosted encryption appliances to protect their email against compromise. That could be a problem.

Security vendor Securolytics this week claimed it has devised an exploit that allows an attacker to bypass an organization's email security gateway and directly unload malware on the email server by using the encryption device as a backdoor.

The so-called Split Tunnel SMTP Exploit works against pretty much any email encryption device—virtual, hosted or in-house—that accepts inbound SMTP and there's very little anyone can do to stop it, according to the company. Attackers can use the exploit to inject any payload that supports MIME encoding including ransomware, macro viruses and password protected ZIP files.

The exploit, says Vikas Singla, CEO of Securolytics, takes advantage of the fact that an email encryption appliance has a publicly accessible IP address and is able to receive and transfer emails. Such devices are typically deployed beyond the enterprise firewall and are often used in conjunction with an email security gateway.

Singla says that during an engagement at a healthcare customer site Securolytics discovered an attacker could completely bypass the email security gateway by connecting directly to the encryption appliance. The appliance simply decrypts and routes the emails it receives to the email server without checking it for malware.

So, an attacker who is able to discover the publicly accessible IP address of an encryption gateway can send malware-laden messages directly to the email server through the encryption gateway, without touching the security appliance at all, Singla says.

In some configurations, the email encryption appliance is deployed in front of the security gateway to decrypt encrypted mail, and to forward it to the security gateway, which then inspects the decrypted email for malware before sending it to the email server.

Even in such situations, an attacker who is able to connect directly to the encryption appliance can inject a rogue message into it. When the security gateway receives the message and inspects it for malware, it will typically do so using the encryption device's IP address and not the original sender's IP address, Singla says. This gives an opening for an attacker to get messages containing malicious payloads and links past the email security gateway.

Singla says Securolytics tested the exploit against two organizations and was able to bypass email security controls in both cases and have malicious email reach the email server. Because Securolytics used an invalid mailbox for both tests, the target server bounced back the emails.

One of the simulated attacks involved a 400-employee hospital using Microsoft Exchange, an onsite email encryption product, and an email security gateway appliance.

Securolytics researchers used an automated script to map out the target organization's email infrastructure and the delivery routes for email. It then used a brute force attack to find the encryption appliance's IP address. Once the researchers had the information they used another scanner to see if any of the uncovered mail transfer agents had Port 25 open.

The researchers first sent an email with a benign payload to an invalid address within the target's domain to figure out how the security gateway and internal mail servers handled incoming mail. They then sent a message with a malicious payload to verify the security gateway was working properly. Finally, they resent the same message with the same payload and from the same IP address, but directed it to the encryption appliance instead.

The device received the malicious email, accepted it and forwarded the mail directly to the email server which then attempted to deliver it to the invalid inbox before bouncing it back.

The same thing happened when Securolytics carried out the simulated attack against an 11,500-employee healthcare system. In this case, the organization had deployed Office 365 behind a hosted email encryption device. Even with Microsoft's Exchange Online Protection turned on the organization was unable to prevent a malicious email sent directly to the encryption appliance from reaching the mail server.

The Split Tunnel SMPT attack does not work if port 25 is closed. "The two attacks we show require port 25 to be open on the target's [Mail Transfer Appliance]," says Singla.

"Our initial thought was that organizations could close port 25," he says. "But we found the encryption server requires, by design, port 25 to be open so they can receive email from other encryption MTAs." Singla says. Securolytics is now testing to see if the attack works for configurations where the encryption appliance sits behind the security gateway.

The only way for organizations using encryption appliances to mitigate the threat is to disable transparent gateway-to-gateway encryption, according to Securolytics. Email encryption product vendors often use transparent encryption to make it easy for organizations to send and receive encrypted emails without needing to modify anything.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:51:55 PM
Re: Pending Review
"This is akin to saying driving a car is bad because a person doesn't use the seat belts."

I agree, at the end of the day we come back to human being the weakest link.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:49:27 PM
Re: Pending Review
"The fact that someone architects a system and does not send the email through the SEG is simply poor design"

Agreed and good points. Most SMEs would not have that one, they hardly have physical firewall I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:47:25 PM
Re: Why you need multiple layers of security
"having multiple layers of security."

Agree. Layered security most likely detect this types of threats. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:45:44 PM
Re: Thanks for sharing
"What a simple security hole"

Agree. As one could guess, sometimes simple things impact the environment most.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:44:28 PM
TCP dedicated ports
Best approach to avoid TCP dedicated ports it seems to avoid this threat.
TomF593
0%
100%
TomF593,
User Rank: Apprentice
5/27/2017 | 8:18:47 AM
Re: Pending Review
I'm not sure I would classify this as an exploit in the terms you have laid out the scenario. This does show very poor email security architecture design but modern SEG (Secure Email Gateways) contains A/V and Anti-Malware engines to detect the presence of malware in email. The fact that someone architects a system and does not send the email through the SEG is simply poor design.

This is akin to saying driving a car is bad because a person doesn't use the seat belts. Yes it is dangerous, yes it is bad, however you can't blame the car saying it is unsafe. The operator is unsafe, they chose not to put on the seat belts and benefit from the protect afforded.

"In some configurations, the email encryption appliance is deployed in front of the security gateway to decrypt encrypted mail, and to forward it to the security gateway, which then inspects the decrypted email for malware before sending it to the email server.

Even in such situations, an attacker who is able to connect directly to the encryption appliance can inject a rogue message into it. When the security gateway receives the message and inspects it for malware, it will typically do so using the encryption device's IP address and not the original sender's IP address, Singla says. This gives an opening for an attacker to get messages containing malicious payloads and links past the email security gateway." 

Again poor design architecture/implementation a properly configured SEG would look back in headers and discover the true sending MTA IP address not take the encryption device as the source.

"The Split Tunnel SMPT attack does not work if port 25 is closed. "The two attacks we show require port 25 to be open on the target's [Mail Transfer Appliance]," says Singla."

If you can't reach port 25 no mail would flow. This statement is not even needed. Again like saying if I don't answer the phone you can't talk to me.
DougMorganBreakpoint
50%
50%
DougMorganBreakpoint,
User Rank: Apprentice
5/25/2017 | 3:33:22 PM
Why you need multiple layers of security
Creative attack, and a great argument for having multiple layers of security.  Clearly this can bypass email security.  Hopefully the the organization has web filtering or other policies in place to block access to command and control sites to limit the damage if a user does fall for the delivered phiishing email.
realuser
100%
0%
realuser,
User Rank: Apprentice
5/25/2017 | 3:06:16 PM
Thanks for sharing
What a simple security hole... Latest methods to deliver malware became really interesting. Nice work!
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.