Smuggling an email within an email || MongoDB investigates possible breach
CyberInsights #123 - The SMTP email attack || MongoDB Atlas cluster related metadata and customer data allegedly leaked
The as-old-as-the-internet SMTP protocol has a new attack!
It is inspired by the http smuggling attack.
It’s been a while since I went into a technical rabbit hole on CyberInsights. I leave the technicalities for the CyberInsights LongReads, which, I must admit, are not really as frequent as I would like them to be.
However, this one is too interesting to ignore. At the expense of alienating readers who do not want this newsletter to be too technical, I had to write this one.
The news of how a malicious email can be smuggled into a users inbox as a part of a genuine email is here. [LINK].
For the more technically inclined, this article is a not only an explanation of the vulnerability, but also a refresher of how SMTP, SPF, DKIM and DMARC work, because if you do not understand how they work, you do not understand how the vulnerability works. [LINK].
The summary is reasonably succinct without compromising on the core:
“By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails - hence SMTP smuggling - while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin@outlook.com) to millions of receiving SMTP servers (e.g., Amazon, PayPal, eBay). Identified vulnerabilities in Microsoft and GMX were quickly fixed, however, SEC Consult urges companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration (see Responsible Disclosure section below)!”
What it means is that the attack works by exploiting the different interpretations of an end of mail symbol. With some tweaking, an end of mail can be inserted in such a way that the email server interprets it as two separate mails - thus bypassing all security controls.
Take Action:
While most affected email providers have plugged this, Cisco Secure Email users still need to make some changes. If you are using Cisco Secure Email, read the new article to the end to see mitigating actions.
For the rest, the [LINK] is an excellent refresher about how SMTP works and how SPF, DKIM and DMARC work.
MongoDB is trying to figure out if it’s Atlas service has been breached
MongoDB Atlas is a DaaS service, offering cloud based MongoDB instances.
The NoSQL database of choice, MongoDB is trying to figure out if they have been attacked and breached. [LINK].
The latest update from the alerts page of MongoDB [LINK] is not very comforting. This is what it says:
“12/18/23 - 9:00 PM EST
We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter.”
MongoDB seems to confident that the attack was caused by a phishing attack. To protect yourself, MongoDB recommends using MFA and linking to an IDP for authorisation.
MongoDB Atlas clusters is a service that offers Database-as-a-service to customers. DaaS services attract malicious hackers, given that the spoils of success are very rewarding.
The attackers used Mullvad VPN while accessing the servers of MongoDB. The IPs are listed in the link for affected organisations to investigate any possible breach.
Take Action:
If you are using MongoDB Atlas clusters, review the IPs for indicators of compromise. If you have not already done it 🙄, implement MFA or link to your SSO. Keep an eye on the alerts page.
For Cyber Insurance carriers, seek to capture is the accumulation of cloud services. It’s difficult, but it will help you with your accumulation at the end of the year.