Threat Intelligence Brief – August 2017

TECH TALK

With email phishing’s continued popularity and effectiveness, it’s important that we expand on last month’s topic with an overview of email header analysis.

Analyzing email headers can help you determine if the email is spoofed, or manipulated so that the source of the email appears to be from a familiar source. Spoofed emails are designed to appear legitimate, especially if the adversary has done their homework and knows who works in the organization, what their roles are and information about current projects and issues within the organization.

Contacting the sender – preferably through means other than email – to verify its source should be your first response to a suspicious email. If they deny sending the message, follow your organization’s policy for handling phishing emails.

However, if you’re unable to verify with the sender, or prefer a more direct approach to determining the legitimacy, you can analyze the email header.

Analyzing Email Headers

By analyzing the email’s header data, you can determine where it originated.

This information is viewable in the email header data. Since accessing this data varies by email client, we’ve provided two examples:

  • Web-based (Gmail)
  • Client-based (Outlook)

Gmail: Log into your Gmail account and open a message. On the top-right hand side of the opened message will be a drop-down arrow. Click on this arrow and select “Show Original.” This will change the format of the email to display the email header at the top.

Outlook: Open the Outlook email client, and then open the email in question.

NOTE: If the email is obviously a phishing email, don’t open it; follow your organization’s phishing email policy. With the email open select “View” and then “Message Options”. If your version of Outlook doesn’t have the “View” option, select “File” and then “Properties”.

Example email header:

Return-path: <sender@senderdomain.tld> Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200 Received: from mailexchanger.recipientdomain.tld(ccc.ccc.ccc.ccc) by mailserver.recipientdomain.tld running ExIM with esmtp id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200 Received: from mailserver.senderdomain.tld (bbb.bbb.bbb.bbb) helo=mailserver.senderdomain.tld by mailexchanger.recipientdomain.tld with esmtp id xxxxxx-xxxxxx-xx for recipient@recipientdomain.tld; Wed, 13 Apr 2011 01:39:23 +0200 Received: from senderhostname (aaa.aaa.aaa.aaa) (helo=senderhostname) by mailserver.senderdomain.tld with esmtpa (Exim x.xx) (envelope-from <sender@senderdomain.tld) id xxxxx-xxxxxx-xxxx for recipient@recipientdomain.tld; Tue, 12 Apr 2011 20:36:08 -0100 Message-ID: <xxxxxxxx.xxxxxxxx@senderdomain.tld> Date: Tue, 12 Apr 2011 20:36:01 -0100 X-Mailer: Mail Client From: Sender Name <sender@senderdomain.tld> To: Recipient Name <recipient@recipientdomain.tld> Subject: Message Subject

It’s important to note that this is a basic email header format and most email headers are longer and include more data. However, the basic process for accessing this data applies.

Each “Received: from” entry represents a different stop on the email’s journey from the source to your inbox. The data is presented in reverse order with the last stop on top.

From the example above:

Received: from mailexchanger.recipientdomain. tld (ccc.ccc.ccc.ccc) by mailserver.recipientdomain. tld running ExIM with esmtp id xxxxxx – xxxxxx -xxx; Wed, 13 Apr 2011 01:39:23 +0200

This data shows the delivery of the message from the mail exchanger , IP address ccc.ccc.ccc.ccc, to your mail server mailserver.recipientdomain. tld (obviously this is an example and not actually your mail server).

Received: from mailserver.senderdomain.tld (bbb.bbb.bbb.bbb) helo=mailserver.senderdomain.tld by mailexchanger.recipientdomain.tld with esmtp id xxxxxx-xxxxxx-xx for recipient@recipientdomain.tld; Wed, 13 Apr 2011 01:39:23 +0200

The next entry down shows the delivery of the message from the sender’s mail server, IP address bbb.bbb.bbb.bbb, to the mail exchanger .

Received: from senderhostname (aaa.aaa.aaa.aaa) (helo=senderhostname) by mailserver.senderdomain.tld with esmtpa (Exim x.xx) (envelope-from <sender@senderdomain.tld) id xxxxx-xxxxxx-xxxx for recipient@recipientdomain.tld; Tue, 12 Apr 2011 20:36:08 -0100

Finally, the last entry shows the delivery of the message to the sender’s mail server from their host, IP address aaa.aaa.aaa.aaa. More importantly, this reveals the email mailbox that the message was sent from, sender@senderdomain.tld.

In addition to the sender’s mail server, you should also determine the “Reply-To” entry.

Applying These Learnings

This information is listed after the above message’s routing information. It lists where address replies are sent. Typically, in phishing emails that spoof the sender address, the “Reply-To” address is spoofed as well. This is because, often, they’re not interested in a response from the person being phished. Instead, they’re simply delivering a payload which may be an attachment or embedded script.

It’s important to note that if the “Reply-To” field is set to a valid email address within your company and you reply to this email, you may have potentially helped the adversaries spread their payload.

This overview was intended only as an aid for identifying a spoofed email. It cannot be stressed enough that you should follow your organization’s phishing email policy. There’s other valuable information in an email header that security personnel will use for improving your defenses and reporting the phishing attempt.

Check out the links below for more information regarding email header analysis or tools that automate the process.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It’s prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IPAttack SignatureIP Address Geo Location
173.208.149.170C2 NodeUnited States
198.204.225.34Attacking Web ApplicationUnited States
173.208.129.58SSH Brute ForceUnited States
192.187.98.82SMB AttacksUnited States
185.7.215.164Malware ScannerFrance
195.154.211.217Attacking Web ApplicationFrance
173.208.249.74SIP AttacksUnited States
195.154.217.211WordPress Brute ForceFrance
173.208.146.6WordPress Brute ForceUnited States
173.208.238.227Attacking Web ApplicationUnited States
94.102.51.154Exploit ScannerNetherlands
142.54.166.220SSH Brute ForceUnited States
183.1.88.97CSRF + Privilege EscalationChina
103.226.214.1RDP AttacksTaiwan

Security News

ORACLE ATTEMPTS TO PLUG SOME CRITICAL HOLES IN JULY

Oracle released 300+ patches on July 18th, including one addressing CVE-2017-10244. At the time of publication, hundreds of vulnerable internet-connected Oracle E-business Suite ( EBS ) systems were discovered through initial scans. Exploitation of these vulnerable systems allows an attacker to download all documents stored in EBS , potentially exposing sensitive business data. It’s recommended that you patch immediately while taking into account install time and potential impact to your applications and data.

Read more

SECURING YOUR OWN PUBLIC CLOUD DATA IS A FULL-TIME JOB

Some high-profile customers of Amazon’s Simple Storage Services (S3) data repository service were negatively impacted in July due to poorly implemented security in their public cloud implementations. In defense of AWS S3, it’s not a managed services or managed security platform. Rather it’s a public cloud data repository that customers manage and secure themselves. This being the case, businesses looking to extend their enterprises into the cloud must understand the service levels of the cloud service subscription as well as the particulars of the data the host there. While a long-term as opposed to short-term benefit, the peace of mind provided by secure cloud service often outweighs the cost.

Read more

VAULT 7

Say what you will about Wikileaks and their Vault 7 series, if you aren’t reading the documents they are releasing, you can rest assured your adversaries are. This month’s leaks describe tools and techniques that you can be assured that adversaries will be reverse engineering it and eagerly leverage it.

Read more