ChannelLife Australia logo
Industry insider news for Australia's technology resellers
Story image

Hundreds of Australian corporations identified with email security vulnerabilities

By Sebastian Salla
Tue 11 Jan 2022

Security researcher Sebastian Salla from CanIPhish.com has found 264 often well-known Australian corporations who have email security vulnerabilities.

Here is his blog:

My name’s Sebastian Salla and I’m a Security Researcher who specialises in Cloud and Email Security. A couple of months ago I started looking into ways an attacker could compromise the email security of Australian organisations. Fortunately, I’ve created various toolings over the years (all of which are accessible at https://caniphish.com) which aided in this research.

I ultimately decided to see if I could impersonate Australian organisations while passing all email authentication checks. I started off by scanning a few hundred domains, which eventually led to me scanning 1.8 Million Australian domains. The outcome of this research would be to see if I can send SPF authenticated emails from the scanned domains and ultimately report the vulnerabilities back to those organisations affected.

To perform this scan, I would look up a domain and see if any of the IP addresses listed in their SPF records overlapped with the public IP ranges offered by Amazon Web Services (AWS). I then checked to see if I could take over any unused IPs. The results of the experiment were pretty eye-opening. I compromised the email supply chain of 264 Australian organisations, some of which are the most respected institutions in Australia.

The Scanning Process

The first challenge was to figure out how to gather up-to-date listings of Australian domains. To do this I used three methods GitHub. ASX200 and Sublist3r. Using a GitHub project called 'domains' I gathered around 99% of the domains that ended up being scanned. Some ASX200 domains were missed with the Github project - some businesses use a .com top-level domain (TLD) structure instead of .com.au. Finally, I ran Sublist3r which aggregates information from various open-source intelligence sources to collect information on domains. I queried information on all domains that use .com.au, .org.au, .net.au, .edu.au and .gov.au as their TLD structure… and with that, I had my list of domains.

I quickly realised that extracting each domain's full email-sender supply chain (SPF record) one by one just wouldn't be feasible. I’d be I'm querying 6 SPF records per domain. That's 10.8 Million DNS requests! That’s where Lambda functions came in. Lambda is an AWS cloud compute that runs code in a highly efficient manner and is designed exactly for my use case. I now had the ability to have the same piece of code running 100s of times concurrently. Each lambda function would scan 15 domains and save the results into a DynamoDB (NoSQL) database. I then kept the Lambda functions running for 25 hours!

After 25 hours, I exported the supply chain data and filtered it down to only the IP addresses associated with AWS' EC2 IP Address Pools. This gave me the idea of where I should focus my efforts: AWS' ap-southeast-2, eu-central-1, us-east-1, us-west-1 and us-west-2 regions.

Discovering available AWS IPs

Once the scan was complete I now needed to figure out how I could discover all of the available AWS IPs. To keep the costs down, I ran 50 t3a.nano EC2 instances across 5 regions and restarted them every minute. With each restart, the EC2 instances would get a new public IP and I'd then cross-reference the IP to all the IPs found during the email supply chain extraction process.
After 20 hours of restarting EC2 instances, I had a large enough sample set to begin trawling through the results. Keep in mind, AWS reserves 56,080,253 IPs for EC2 instances. That means I’ve only scanned just over 0.1% of the address space (approx. 1 in 1000 IPs), so I've barely scratched the surface!

The Results

Ultimately, I found I had compromised the email sender supply chain for 264 Australian organisations and to my shock, it contained some of the most respected institutions in Australia. These were a few that really stuck out:

  • qtc.com.au (Queensland Treasury Corporation)
  • mirvac.com (Mirvac - ASX200 Listed Company)
  • charterhall.com.au (Charter Hall - ASX200 Listed Company)
  • aph.gov (Australian Parliament House)
  • usyd.edu.au (University of Sydney)
  • sydney.edu.au (University of Sydney)

To validate that the vulnerabilities were real I sent myself a single test email, appearing to come from Australian Parliament House (aph.gov.au). The email passed all SPF and DMARC checks and went straight into my inbox - evading any spam filtering. This is in stark contrast to an otherwise flawlessly configured SPF & DMARC record for aph.gov.au, where the ultimate downfall is the inclusion of a single over-permissive IP address block. (wasn’t sure how to re-write this)

What does this mean for the Organisations?

Each of the affected 264 organisations and their recipients is significantly more susceptible to phishing attacks and business email compromise (BEC). Anyone with a credit card can sign-up for an AWS account, find a desirable IP, request AWS to remove any SMTP restrictions and start sending SPF authenticated emails, masquerading as any of these organisations.
As an example of the possible impacts and risks, a parliamentary staffer could receive an email that appears to come from a Minister, or a student could receive an email from some posing as from university admissions. The recipients in these cases have a way to determine real emails from the fake, the risks involved in both these examples don’t need to be spelt out considering the position and standing of the organisations involved.

This experiment reiterates the importance of organisations managing their email supply chain to ensure your organisation and downstream customers aren't introduced to unnecessary risks relating to email threats.

This blog originally appeared here.

Related stories
Top stories
Story image
Artificial Intelligence
Frost & Sullivan recognises Genesys as leader in new reports
Frost & Sullivan has recognised Genesys as a leader in the cloud contact centre market for its robust cloud and digital capabilities.
Story image
Manhattan Associates
Shortening the click-to-customer cycle through smart technologies
Speed of delivery without accuracy is a dealbreaker for consumers. How can retailers operating in an omnichannel environment overcome the challenge of click-to-customer cycle times.
Story image
Vectra AI
Vectra’s inaugural Partner of the Year Awards revealed
APAC companies Baidam, Firmus, ShellSoft and Macnica have been recognised in Vectra AI's inaugural Partner of the Year Awards.
Story image
Cybersecurity
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Phishing
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Story image
Data solutions
South Australia state satellite makes significant progress
South Australia’s first state satellite has successfully completed the Critical Design Review (CDR), moving it closer to providing tangible data solutions.
Story image
Omnichannel
Lexmark launches A/NZ first with retail publishing solution
Lexmark, a global imaging and IoT solutions leader, launched its Publishing Platform for Retail (PPR) in Australia and New Zealand.
Story image
Broadband
Telstra enters into new RSP agreement with Opticomm
Telstra has entered into an RSP agreement with Opticomm (A Uniti Group Limited subsidiary) to provide network fibre services to customers.
Story image
Lightspeed
Lightspeed launches all-in-one marketing platform in A/NZ
ECommerce provider, Lightspeed has launched a new all-in-one marketing solution, Lightspeed Marketing & Loyalty in Australia and New Zealand.
Story image
trust
9/10 Aussies to stop spending if personal data compromised
"Based on the patterns we are seeing among Australian consumers, it is evident that trust in a brand is exceptionally important."
Story image
Surveillance
Motorola Solutions acquires Videotec S.p.A for security portfolio
Motorola Solutions has acquired Italian ruggedised video security company Videotec S.p.A, along with its portfolio of highly versatile cameras.
Story image
Sift
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Fintech
Airwallex launches new bank feed integration with NetSuite
Airwallex has launched a new bank feed integration with NetSuite, developed in partnership with NetSuite solution partner, Onlineone.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Microsoft
New Relic enters multi-year partnership with Microsoft Azure
New Relic has announced a strategic partnership with Microsoft to help enterprises accelerate cloud migration and multi-cloud initiatives. 
Story image
Wireless
Hands-on review: Technics EAH-A800 Noise Cancelling Wireless Headphones
Designed in Osaka, Japan, these headphones just exude quality. They aren’t heavy, but they feel well built and solid.
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
WolfVision
WolfVision announces new range of visualisers
WolfVision has announced a new range of visualisers to help meet multiple industry demands for remote learning and educational solutions.
Story image
Application Performance Monitoring / APM
Why SolarWinds Partners will have big wins in 2022
We summarise the key recent changes that the monitoring software vendor has made to accelerate its channel business.
Story image
Sustainability
Legrand unveils Nexpand, a data center cabinet platform
Legrand has unveiled a new data center cabinet platform, Nexpand, to offer the necessary scalability and future-proof architecture for digital transformation.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Wireless
Cradlepoint expands its Cellular Intelligence capabilities
Cradlepoint has announced additional Cellular Intelligence capabilities with its NetCloud service.
Story image
Ransomware
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Manufacturing
HINDSITE wins Aerospace Xelerated Pitch Challenge with solution to support Boeing
Brisbane-based startup HINDSITE was the winner of the first ever Pitch Challenge organised by Aerospace Xelerated in partnership with Queensland XR Hub. 
Story image
Ransomware
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Story image
Telstra
Telstra, Google and Accenture launch 5G AR experience for AFL
Telstra, Google and Accenture are developing a new 5G powered augmented reality (AR) experience at Melbourne's Marvel Stadium for the footy season.
Story image
Cybersecurity
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Apple
Apple previews new features for users with disabilities
Apple says new software features that offer users with disabilities new tools for navigation, health and communication, are set to come out later this year.
Story image
Workato
Workato unveils enhancements to enterprise automation platform
"The extra layer of protection with EKM, zero-logging, and hourly key rotation gives customers a lot more visibility and control over more sensitive data."
Story image
Alteryx
Decision Inc. Australia enters partnership with Alteryx
Independent data and analytics consultancy Decision Inc. Australia has partnered with automated analytics company Alteryx, expanding its offering to clients.
Story image
Artificial Intelligence
SAS announces new products amid cloud portfolio success
Analytics and AI company SAS is deepening its broad industry portfolio with offerings that support life sciences, energy, and martech.
Story image
Cybersecurity
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Digital Transformation
Pluralsight and Ingram Micro Cloud team up on cloud initiative
Pluralsight has teamed with Ingram Micro Cloud to build upon cloud competence and maturity internally, and externally support partners’ capabilities.
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Getac
Getac and Optalert expand partnership to promote industrial safety
Getac’s ZX70 Android tablets will be used to support Optalert’s Eagle Industrial early-warning drowsiness detection system for use in mining and transportation.
Story image
Remote Working
Australia’s remote workers face connectivity and security issues
SOTI's new report finds better video conferencing technology and improved security measures are top concerns for remote workers in Australia.
Story image
Gaming
PNY launches XLR8 Gaming EPIX memory products in A/NZ
PNY has launched its XLR8 Gaming EPIC-X RGB™ DDR4 Silver 3200MHz and 3600MHz memory products in Australia and New Zealand.
Story image
Cybersecurity
Infoblox's State of Security Report spotlights Australian remote work hazards
Attackers exploit weak WiFi, remote endpoints, and the cloud, costing 50% of organisations over $1.3 million in breach damages.