Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2017
07:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ROPEMAKER Attack Turns Benign Emails Hostile Post-Delivery

The intersection of email and Web technologies has given attackers a way to mess with your email after it has been delivered to your inbox, Mimecast says.

Just because an email is secure when it arrives in your inbox doesn't mean that it cannot be maliciously modified later.

The intersection of email and Web technologies in recent years has given attackers a way to undermine the security and non-repudiation of email, including those that are signed using PGP or SMIME, security vendor Mimecast warned this week.

The email security provider has discovered a new exploit that it has dubbed ROPEMAKER, which gives attackers a way to change the content of an email, at their will, after it has been delivered, and without direct access to the user's email inbox. The exploit enables attackers to do things like swap out a benign URL in a delivered email with a malicious one, to edit text in the body of the email and turn entire chunks of benign text to a malicious URL.

Matthew Gardiner, cybersecurity strategist at Mimecast says the company has deliberately decided not to label the issue as either a product vulnerability or fundamental architectural flaw. "We think this is a topic area that needs to be further debated," he says.

There are certainly measures that email application providers can do to better protect users against the kind of threat posed by ROPEMAKER. "[But] part of the challenge with the ROPEMAKER exploit is it doesn't fall squarely into one particular organization's area of responsibility," he says.

The problem, according to Gardiner, stems from the manner in which PC-based email apps like Outlook and Apple Mail use Web technologies to make emails more visually attractive and dynamic compared to the purely text-based emails of a few years ago. Certain browser-based email clients such as Gmail, Outlook.com and icloud.com that Mimecast looked at were not susceptible to the issue.

"Fundamentally ROPEMAKER exists because Web technologies can and often do interoperate over a network, typically the Internet," Mimecast researchers said in a blog on the topic this week. "To be more precise, two resources that are housed remotely from one another, but are linked via a network can interoperate; one affecting the execution of the other."

For example, on the Web, remotely based and remotely controlled content and resources are routinely fetched or referenced without the local user having to do anything. Cascading Style Sheets (CSS) that organizations use to describe how the layout, fonts, colors, and other features of HTML content should be presented is a good example. CSS enables the separation of content from the components that control how the content should be presented, the company noted.

When used in the context of emails, a remotely hosted CSS file can give an attacker a way to control not just the presentation style of the email but its actual content as well, Mimecast said. Just like Web pages can continuously change text content, audio, and visuals, a remotely hosted CSS can enable changes to the content in email that has already been delivered.

"ROPEMAKER works as long as the email client automatically connects to the remote CSS to retrieve the desired 'style' for the email. This is at the core of the ROPEMAKER exploit," Mimecast said.

In its advisory, the email security vendor described two ways in which an attacker could exploit the issue. One of them showed how an attacker could switch a good URL with a bad one. The other, which Mimecast has dubbed a Matrix Exploit, involved an attacker sending a matrix of ASCII text, character by character, and then using the remote CSS file to control what is displayed to the recipient.

"The Matrix Exploit is the delivery of all possible characters in an email," such as a, A, b, B, c, C, Gardiner says. "And then, post-delivery, making whatever message you want to appear come to life for each individual email user. "This tactic makes it very difficult for an email security product to determine if an inbound mail is good or not because what it says is not determined until after the email has been delivered, Gardiner notes.

Apple Mail has a user setting that would allow email users to block automatic execution of a remote resource—like a remotely hosted CSS file for instance, he says. But few are likely using it.

Most email clients use local CSS for reasons of performance and network connectivity, adds Gardiner. However, remote CSS is supported with HTML and there's no reason to believe attackers wouldn't use it. "From the end users' point of view they don't have any idea where the CSS is hosted, unless they check the HTML source of the email. How many users do that?"

Mimecast has shared its research privately with all of the primary email client vendors, but so far not one of them has acknowledged ROPEMAKER as a vulnerability or exploit. Mimecast says it has not seen any evidence of ROPEMAKER-like attacks in the wild so far.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrewstrauss
50%
50%
Andrewstrauss,
User Rank: Apprentice
8/25/2017 | 5:44:24 AM
Re: Frightening indeed
wxqx
LisaB845
50%
50%
LisaB845,
User Rank: Apprentice
8/24/2017 | 4:48:49 AM
Re: cah
Didn't even know about the ROPEMAKER Attack, thanks for the heads up.
andreiguru
50%
50%
andreiguru,
User Rank: Apprentice
8/23/2017 | 9:59:32 AM
Re: Frightening indeed
Nothing new here though. This attack vector has been known since email clients introduced the option to block remote content.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/23/2017 | 8:28:52 AM
Frightening indeed
As a malware forensics engineer, my department commonly hits on old exploits - couponprinter, ask toolbar, dridex and a host of other pieces of junk.  Then users open email attachments as delivered and get wrecked by this or that.  Now THIS potential infection point is then horror indeed
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.