Analysis of the available data of the January attack, in which virtual threats had to really respond
In past years, centralized attacks were carried out using IP telephony, now a new round, but using email. Let us analyze the available electronic data on this attack.
Updated information on 02/01/2019.
Problem:
2017: “The anonymity of the call is ensured by the fact that an attacker, using IP telephony, can substitute any number of the caller, including the numbers of real non-involved subscribers from anywhere in the world. This IP telephony feature makes it difficult for security officials to work. The connection of the voice gateway of IP-telephony to the networks of telecom operators often occurs illegally, with the substitution of the caller’s number, IP addresses and other identifiers ”
2019: According to the press services of the administrations and from the staff of medical institutions and schools in different regions and cities, to their electronic Mail received messages with threats and the requirement to perform certain actions.
Law enforcement agencies together with the executive authorities began to act in accordance with their powers, which meant checking each message.
Institutions that were listed in the text of the letters, began to hold emergency events.
None of the facts on the received threats were confirmed, the work of the institutions was resumed in full.
Initial data:
Попробуем абстрагироваться от ситуации в целом и пройтись по пунктам из некоторых опубликованных в открытом доступе электронных писем, фото которых представлены ниже.
Данных по информации по «служебным заголовкам» в письмах нет.
Данных по информации по «служебным заголовкам» в письмах нет.
Data analysis:
All emails were sent by using the free mail service mailfence dot com, which positions itself as a “secure and confidential email service.”
At the moment, some providers in the Russian Federation have restricted access to this service.
We will try to enter this service and register. We get such a refusal:
With the use of a VPN plug-in, you can go a little further and register:
However, here we have this choice from the possible email addresses.
Thus, there is a suspicion that the email addresses that were used in the attack were created quite a long time ago on this system, when there was such an opportunity to choose another domain name earlier. This means that the attack was not spontaneous, and the addresses were created earlier by some pool.
And why do we need to create a mailbox in this service?
When registering, you must specify your working email address, which will send a link to confirm registration with the service.
Next, we check how the password reset process takes place in this service .
Enter your username and / or your e-mail address: Enter the username or e-mail
(in the test case we have mail.ru) and we get:
To reset your password, an e-mail was sent to:
sin***@***mail.ru
Thus, we can find out the first three characters of the user name and the last 5 characters of the second-level mail domain. (thanks michaelkl for the comment! )
Moreover, when requesting a password reset, you can specify a username or email.
And according to the addresses from the sent e-mails, when requesting a password reset, you can specify only e-mail.
putin.fsb2@mailfence.com
was sent to:
kul***@***too.email
just.bro@mailfence.com
To reset your password, it was not sent :
bbl***@***imail.com
A single thread leads to gmail.com:
kor.bol@mailfence.com
to reset your password, an e-mail was sent to:
vov***@***gmail.com
Here you can search for the full address, but for a long time:
This address By the way, it’s knocked out of the whole list by the fact that it has a connection with gmail.com.
Another address is in the same
place
:
kiano.lok@mailfence.com
There is a suspicion that it is a simulator, like an option, which is on the wave Newsletters also contributed, but with mercenary purposes, to commit their evil intent in place in the confusion of events (theft, deletion of data, when no one is near, etc.).
Further, if somewhere in the address numbers have, then, a little bit of changing or cleaning, we can still check these addresses:
putin.fsb@mailfence.com
the To the reset your password, an an e-mail sent to WAS:
poc *** @ *** cloud.info
putin.fsb1@mailfence.com
about your password, an e-mail was sent to:
joo***@***mail.com
putin.fsb3@mailfence.com
To reset your password, an e-mail an WAS sent to:
bud***@***email.com
putin.fsb4@mailfence.com
the to the reset your password, an an e-mail sent to WAS:
bep***@***itnow.com
Thus, you can still expect to receive letters from these email addresses.
And here, nevertheless, for the registration in the mailfence dot com, the service temp-mail dot org was used,
As a result, two different mail services were used in eight email addresses.
Addition: new letters also come from the free mail mail dot bg mail server.
jekson.lo1@mailfence.com
about your password, an e-mail was sent to:
pet***@***mail.bg
Data from Mosigra:
habr.com/ru/company/mosigra/blog/439036
laki. kak@mailfence.com
the to the reset your password, an an e-mail sent to WAS:
ale***@***mail.uk
How chosen victim for the attack, according to the mailing lists shows that the addresses were copied from websites of state institutions or " They were driven in "manually, because this data is in the public domain.
The range of simultaneous recipients in the letters (2-6-10) is small, so that the mail servers do not restrict the distribution and the letters do not fall into the "Spam" folder.
Excerpts from the service headers:
Received: from wilbur.contactoffice.com (wilbur.contactoffice.com [212.3.242.68])
(Client certificate not present)
Return-Path: putin.fsb3@mailfence.com
domain of mailfence.com designates 212.3.242.68 as permitted sender,
rule=[ip4:212.3.242.64/26]) smtp.mail=putin.fsb3@mailfence.com; dkim=pass
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailfence.com;
X-Priority: 3
Reply-To: Putin FSB <putin.fsb3@mailfence.com>
From: Putin FSB <putin.fsb3@mailfence.com>
X-Mailer: ContactOffice Mail
X-ContactOffice-Account: com:188677102
Received: from mxfront13g.mail.yandex.net ([127.0.0.1])
by mxfront13g.mail.yandex.net with LMTP id a6sJli0I
for <info@mosigra.ru>; Tue, 5 Feb 2019 11:00:14 +0300
Received: from wilbur.contactoffice.com (wilbur.contactoffice.com [212.3.242.68])
by mxfront13g.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id jttuF4mQRo-0DAa1MBL;
Tue, 05 Feb 2019 11:00:13 +0300
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client certificate not present)
Return-Path: laki.kak@mailfence.com
X-Yandex-Front: mxfront13g.mail.yandex.net
X-Yandex-TimeMark: 1549353613
Authentication-Results: mxfront13g.mail.yandex.net; spf=pass (mxfront13g.mail.yandex.net: domain of mailfence.com designates 212.3.242.68 as permitted sender, rule=[ip4:212.3.242.64/26]) smtp.mail=laki.kak@mailfence.com; dkim=pass header.i=@mailfence.com
X-Yandex-Spam: 2
X-Yandex-Fwd: MzM4MDAwNDcyNDYzOTM2Mzg1OSwyMTg3Njc1NDQ5ODIwMzIwNzMz
Received: from ichabod.co-bxl (ichabod.co-bxl [10.2.0.36])
by wilbur.contactoffice.com (Postfix) with ESMTP id 16350329D;
Tue, 5 Feb 2019 09:00:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailfence.com;
s=20160819-nLV10XS2; t=1549353613;
bh=gADFkQslj8dDCkx+Y9OhJNmeT7fosViIkpUDPPk1UO8=;
h=Date:To:Subject:Reply-To:From:From;
b=Th6eWs74xYE35Y5pouZD/9vbA/oJZ6jyrtzWrMs3XilthYjL3DnwVm1SiysHGHr4J
6ROHYI/HMAnLOJfv+JsKC574UzsmjU1yhikwYLakMPTWKiqcR6knC4mXkfWFm/fXHU
LPod1MeMeNlD1rqEXnkr8wJk4GX/s6DzCUVxC5qzcv6ChEwa5DJOvIg0mxMxP9UfMr
LaPBQIGOiELGYfFOWi8XwGW1BDFfKXCgE0vxYYo8lqgXuXN720BHTv+CksccUdo44v
KyDZEQYqM7J3JhjL8GCiaWxfLBbEkLqYCHnRUEGyKbC2pqT23c2TaafXXW7g5raN63
WyVocjjQbTDpA==
Date: Tue, 5 Feb 2019 09:00:10 +0100 (CET)
Message-ID: <790975597.619629.1549353610731@ichabod.co-bxl>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
To: info@torrogrill.ru, kapitoly_adm@cosmik.ru, kashirskaya.enkatc@enka.com,
6112158@re-reserved.ru, info@mosigra.ru, info@toy.ru,
filion@minisolife.ru, 6412027@re-reserved.ru, info@modi.ru,
office@melonfashion.ru
Subject: =?utf-8?B?0L7RgtCy0LXRgiDQvdCwINC30LDQv9GA0L7RgQ==?=
X-Priority: 3
Reply-To: laki kak <laki.kak@mailfence.com>
From: laki kak <laki.kak@mailfence.com>
X-Mailer: ContactOffice Mail
X-ContactOffice-Account: com:190697286
X-Yandex-Forward: c4503a689c840ee5c1704413e6045827
(Client certificate not present)
Return-Path: putin.fsb3@mailfence.com
domain of mailfence.com designates 212.3.242.68 as permitted sender,
rule=[ip4:212.3.242.64/26]) smtp.mail=putin.fsb3@mailfence.com; dkim=pass
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailfence.com;
X-Priority: 3
Reply-To: Putin FSB <putin.fsb3@mailfence.com>
From: Putin FSB <putin.fsb3@mailfence.com>
X-Mailer: ContactOffice Mail
X-ContactOffice-Account: com:188677102
Received: from mxfront13g.mail.yandex.net ([127.0.0.1])
by mxfront13g.mail.yandex.net with LMTP id a6sJli0I
for <info@mosigra.ru>; Tue, 5 Feb 2019 11:00:14 +0300
Received: from wilbur.contactoffice.com (wilbur.contactoffice.com [212.3.242.68])
by mxfront13g.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id jttuF4mQRo-0DAa1MBL;
Tue, 05 Feb 2019 11:00:13 +0300
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client certificate not present)
Return-Path: laki.kak@mailfence.com
X-Yandex-Front: mxfront13g.mail.yandex.net
X-Yandex-TimeMark: 1549353613
Authentication-Results: mxfront13g.mail.yandex.net; spf=pass (mxfront13g.mail.yandex.net: domain of mailfence.com designates 212.3.242.68 as permitted sender, rule=[ip4:212.3.242.64/26]) smtp.mail=laki.kak@mailfence.com; dkim=pass header.i=@mailfence.com
X-Yandex-Spam: 2
X-Yandex-Fwd: MzM4MDAwNDcyNDYzOTM2Mzg1OSwyMTg3Njc1NDQ5ODIwMzIwNzMz
Received: from ichabod.co-bxl (ichabod.co-bxl [10.2.0.36])
by wilbur.contactoffice.com (Postfix) with ESMTP id 16350329D;
Tue, 5 Feb 2019 09:00:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailfence.com;
s=20160819-nLV10XS2; t=1549353613;
bh=gADFkQslj8dDCkx+Y9OhJNmeT7fosViIkpUDPPk1UO8=;
h=Date:To:Subject:Reply-To:From:From;
b=Th6eWs74xYE35Y5pouZD/9vbA/oJZ6jyrtzWrMs3XilthYjL3DnwVm1SiysHGHr4J
6ROHYI/HMAnLOJfv+JsKC574UzsmjU1yhikwYLakMPTWKiqcR6knC4mXkfWFm/fXHU
LPod1MeMeNlD1rqEXnkr8wJk4GX/s6DzCUVxC5qzcv6ChEwa5DJOvIg0mxMxP9UfMr
LaPBQIGOiELGYfFOWi8XwGW1BDFfKXCgE0vxYYo8lqgXuXN720BHTv+CksccUdo44v
KyDZEQYqM7J3JhjL8GCiaWxfLBbEkLqYCHnRUEGyKbC2pqT23c2TaafXXW7g5raN63
WyVocjjQbTDpA==
Date: Tue, 5 Feb 2019 09:00:10 +0100 (CET)
Message-ID: <790975597.619629.1549353610731@ichabod.co-bxl>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
To: info@torrogrill.ru, kapitoly_adm@cosmik.ru, kashirskaya.enkatc@enka.com,
6112158@re-reserved.ru, info@mosigra.ru, info@toy.ru,
filion@minisolife.ru, 6412027@re-reserved.ru, info@modi.ru,
office@melonfashion.ru
Subject: =?utf-8?B?0L7RgtCy0LXRgiDQvdCwINC30LDQv9GA0L7RgQ==?=
X-Priority: 3
Reply-To: laki kak <laki.kak@mailfence.com>
From: laki kak <laki.kak@mailfence.com>
X-Mailer: ContactOffice Mail
X-ContactOffice-Account: com:190697286
X-Yandex-Forward: c4503a689c840ee5c1704413e6045827
Recommendations:
Whenever possible, system administrators of institutions check emails more often, create a filter for letters from “mailfence dot com” in a separate folder and immediately report them, according to their job descriptions, save service headers and all data for further analysis.
Tactic:
Just the same question - why are so many email addresses used in mailing lists?
The answer is simple - the Achilles' heel of the service used is the monetization of services and the possibility of registering through one-time mailboxes (one-time mail service).
1. So, most likely, all accounts used for mailing are now on a free plan, which includes only 500 MB emails.
If this box is “filled up” with messages with attachments and overfilled, then it will first have to be cleaned in order to make further distribution. Paid plans are already payment for services and additional opening of your bank data.
So, you can help with this by sending letters as large as possible to the addresses below.
putin.fsb@mailfence.com
putin.fsb1@mailfence.com
putin.fsb2@mailfence.com
putin.fsb3@mailfence.com
putin.fsb4@mailfence.com
just.bro@mailfence.com
kor.bol@mailfence.com
kiano .lok @ mailfence.com
jekson.lo1@mailfence.com
laki.kak@mailfence.com
2. Taking control of mailboxes by resetting the password and selectinglogin through a one-time mail service .
Theoretically, it is possible to get access to the mailboxes listed in item 1 if you can perform a large amount of actions:
- pick up the desired login and domain in the temp-mail dot org
- send a password reset command to the mailfence address dot-com
- get a reset letter password in the temp-mail org dot
- log in to the mailfence account at the com dot
Data for the selection (where * is one or more characters (1-4 Latin letters most likely) in the user name):
Difficult situation:
password reset - putin.fsb1 @ mailfence.com
one-time mail service - joo*@321-email.com
one-time mail service - joo * @ b raun4email.com
one-time mail service - joo*@utooemail.com
password reset - putin.fsb3@mailfence.com
one-time mail
service - bud*@321-email.com
one-time mail service - bud*@braun4email.com one-time mail service - bud * @ utooemail .com
There is only one domain to check:
password reset - putin.fsb2@mailfence.com
disposable mail service - kul*@utoo.email
password reset - putin.fsb4@mailfence.com
disposable mail service - bep*@4senditnow.com
reset password - just.bro@mailfence.com
disposable mail service - bbl*@heximail.com
3. As an option, by searching (pressing the "delete" button in the service) the staffed suggested logins(length 4-8 characters) find from the proposed new login something that starts with kul / bep / bbl / bud / joo .
Item 3 can be implemented using software methods.
If anyone is interested and can find access to at least one mailbox through a large brute force of data on the login in the one-time mail service and can (block) stop the mailing from it - it will be great.
We will not dwell on the linguistic and stylistic analysis of the content of the letters, although, coupled with spelling errors and some consonant syllables in the text, there is something to think about. However, it is possible that this dialectic was introduced into the text specifically for compromise.
This article is related to analytical topics, please follow the rules of the resource in the comments and not go beyond the generally accepted framework.