Is there any analysis on root causes of mail account break-ins?
Hi folks, I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers. So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google). Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. o Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. * Malware on client machines where passwords are either stored in a password vault, or entered manually. My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. The latter are often hosted using Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too. So does anyone have pointers to studies analyzing these (and probably more) causes of exploited mail accounts? Cheers, Hans-Martin
Hans-Martin Mosner schrieb: Hi folks, I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers. So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google). Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: * Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. * Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. * Malware on client machines where passwords are either stored in a password vault, or entered manually. I suspect a large amount would be caused by phishing. Users getting a malicious email (generally) leading them to a phishing page where they happily introduce their credentials. Some users fall even for "badly designed" phishing sites without any sophistication at all. If after compromise the phishing uses the newly-minted credentials to send itself to their address-book (which on corporate systems can be the whole organization), that explains how there can be such clusters. Fresh students would not know the ins and outs of their new system (they may not even know how to properly use their email account, but that's a bigger issue) thus being easy prey when receiving a "Your mailbox is getting full" email. Corporate users (Government or otherwise) don't have such excuse, though. Getting infected with malware would be less prevalent than this, one would hope. There are many more layers where it can be detected, both by the users themselves (would generally require more steps and show more warnings) and detection of the malware at the endpoint. Although users will nevertheless get themselves compromised no matter what. A fourth recent source of compromised mailboxes are compromises of unpatched Exchange servers, albeit that's recent and will eventually disappear. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
On 17 Nov 2021, at 08:12, Hans-Martin Mosner <hmm@heeg.de> wrote:
Hi folks,
I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers.
So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google).
Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance:
Easily guessable passwords, with two subcauses for exploits: Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. Malware on client machines where passwords are either stored in a password vault, or entered manually.
Reused passwords is another. A fair number of websites seem to store user accounts with email addresses and plaintext passwords. When they inevitably get compromised there are bad actors who’ll grab those dumps and try those passwords against the email accounts.
My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. The latter are often hosted using Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too.
So does anyone have pointers to studies analyzing these (and probably more) causes of exploited mail accounts
Cheers, Steve
Hi, On Wed 17/Nov/2021 09:12:13 +0100 Hans-Martin Mosner wrote:
Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance:
I agree with Steve and Ángel that the main causes are reused passwords and phishing.
* Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers.
I used to look at what passwords they try. Those brute force attacks are so ridiculous that I agree with those who call them "clowns". About that network, I only collected 40 addresses (15.7%) of it. Here's the list: list records in IP range 5.188.206.0-5.188.206.255, min age 0 secs, max age 1637146807 secs, min prob 0=0.00%, max prob 2147483647=100.00%. IP CREATED PROB. BLOCKED PACKETS UPDATED DECAY THRESHOLD CAUGHT DESCRIPTION 5.188.206.98 Aug-2021 27.83% Oct-2021 184598 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack 5.188.206.99 Aug-2021 42.44% Oct-2021 187446 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack 5.188.206.100 Aug-2021 32.63% Oct-2021 191132 Oct-2021 2.7648e+06 7 14 SMTP auth dictionary attack 5.188.206.101 Aug-2021 23.06% Oct-2021 195623 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack 5.188.206.102 Aug-2021 30.12% Oct-2021 193158 Oct-2021 2.7648e+06 7 14 SMTP auth dictionary attack 5.188.206.146 Jul-2021 0.00% Jul-2021 38385 Jul-2021 172800 3 11 SMTP auth dictionary attack 5.188.206.147 May-2021 0.00% May-2021 2690 May-2021 43200 1 6 SMTP auth dictionary attack 5.188.206.154 Aug-2021 22.50% Oct-2021 199790 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack 5.188.206.155 Aug-2021 63.96% Oct-2021 200505 Oct-2021 5.5296e+06 8 14 SMTP auth dictionary attack 5.188.206.156 Aug-2021 44.10% Oct-2021 188176 Oct-2021 2.7648e+06 7 13 SMTP auth dictionary attack 5.188.206.157 Aug-2021 21.81% Oct-2021 201093 Oct-2021 2.7648e+06 7 12 SMTP auth dictionary attack 5.188.206.158 Aug-2021 13.69% Oct-2021 186692 Oct-2021 1.3824e+06 6 16 SMTP auth dictionary attack 5.188.206.162 Apr-2021 0.00% Apr-2021 16 May-2021 21600 0 4 Domain does not exist 5.188.206.163 Apr-2021 0.00% Apr-2021 49 May-2021 21600 0 6 SPF failure 5.188.206.164 Apr-2021 0.00% Apr-2021 8 Apr-2021 60 0 3 SPF failure 5.188.206.165 Apr-2021 0.00% Apr-2021 9 May-2021 60 0 3 SPF failure 5.188.206.166 Apr-2021 0.00% Apr-2021 12 May-2021 60 0 4 SPF failure 5.188.206.171 May-2021 0.00% 0 May-2021 60 0 1 SPF failure 5.188.206.172 May-2021 0.00% 0 May-2021 21600 0 1 Domain does not exist 5.188.206.174 May-2021 0.00% 0 May-2021 21600 0 1 Domain does not exist 5.188.206.182 May-2021 0.00% Jun-2021 321619 Jun-2021 691200 5 13 SMTP auth dictionary attack 5.188.206.194 Jul-2020 41.18% 52s ago 106607 53s ago 2.7648e+06 7 24 SMTP auth dictionary attack 5.188.206.195 Jul-2020 78.44% 570s ago 225627 569s ago 2.7648e+06 7 25 SMTP auth dictionary attack 5.188.206.196 Jul-2020 71.04% 54s ago 170925 54s ago 2.7648e+06 7 58 SMTP auth dictionary attack 5.188.206.197 Aug-2020 86.35% 51s ago 172424 57s ago 5.5296e+06 8 37 SMTP auth dictionary attack 5.188.206.198 Sep-2020 55.70% 572s ago 234734 573s ago 5.5296e+06 8 34 SMTP auth dictionary attack 5.188.206.199 Oct-2020 99.24% 571s ago 191169 572s ago 5.5296e+06 8 23 SMTP auth dictionary attack 5.188.206.200 Oct-2020 86.89% 45s ago 189656 60s ago 5.5296e+06 8 23 SMTP auth dictionary attack 5.188.206.201 Oct-2020 59.52% 686s ago 659987 687s ago 5.5296e+06 8 30 SMTP auth dictionary attack 5.188.206.202 Dec-2020 91.54% 57s ago 466233 62s ago 5.5296e+06 8 25 SMTP auth dictionary attack 5.188.206.203 Dec-2020 55.00% 42s ago 214836 50s ago 5.5296e+06 8 23 SMTP auth dictionary attack 5.188.206.204 Dec-2020 11.66% Aug-2021 374345 Aug-2021 2.7648e+06 7 25 SMTP auth dictionary attack 5.188.206.205 Jan-2021 32.61% Aug-2021 168831 Aug-2021 5.5296e+06 8 22 SMTP auth dictionary attack 5.188.206.206 Jun-2021 9.31% Aug-2021 139334 Aug-2021 2.7648e+06 7 18 SMTP auth dictionary attack 5.188.206.234 Feb-2021 7.82% Aug-2021 137165 Aug-2021 2.7648e+06 7 44 SMTP auth dictionary attack 5.188.206.235 Feb-2021 20.26% Aug-2021 341048 Aug-2021 5.5296e+06 8 22 SMTP auth dictionary attack 5.188.206.236 Apr-2021 8.97% Aug-2021 150635 Aug-2021 2.7648e+06 7 18 SMTP auth dictionary attack 5.188.206.237 Jun-2021 7.26% Aug-2021 135883 Aug-2021 2.7648e+06 7 20 SMTP auth dictionary attack 5.188.206.238 Jun-2021 12.76% Aug-2021 137208 Aug-2021 2.7648e+06 7 20 SMTP auth dictionary attack 5.188.206.246 Mar-2021 0.98% May-2021 58297 May-2021 2.7648e+06 7 13 SMTP auth dictionary attack 40 record(s) selected, 0 deleted, 0 failed deletion(s) Best Ale --
participants (4)
-
Alessandro Vesely -
Hans-Martin Mosner -
Steve Atkins -
Ángel González Berdasco