Cyber Security Alert: Do you use MailChannels? 2M domains open to phishing attacks.

Screen reviewing email vulnerability

Overview: Security researchers recently uncovered a straightforward method to spoof more than 2 million domains, raising significant concerns in the cyber security community.

Risk Factor: Critical

Date: Sept 2023

Get Help Now

Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.

What We Know About The MailChannels Spoofing Issue

The news comes after the recent Defcon hacking conference where Marcello Salvati, a researcher affiliated with Rapid 7, gave an eye-opening talk that demonstrated a method for leveraging the “biggest transactional email service” and Cloudflare, effectively circumventing the safeguards of SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

While the initial insights shared during the talk have seen some partial mitigation measures implemented, particularly with the use of Cloudflare workers and MailChannels, a disconcerting concern still persists.

What is the ongoing risk to MailChannels Users?

The issue poses a substantial risk for MailChannels customers, as well as those whose hosting providers rely on their services. Even if your domain has SPF and DMARC measures well-configured, the possibility remains that your domain could be maliciously spoofed by other MailChannels customers.

This alarming revelation underscores the persistent challenges in ensuring the security and authenticity of email communications, compelling organisations to remain vigilant and consider additional protective measures to safeguard their digital identities.

What’s The Impact on MailChannels Services?

Inclusion of the MailChannels SPF record may expose domains and users to impersonation risks. A recent solution has been introduced to address this concern. Given that a significant portion of the 2 million domains lacks these protective measures, it opens the door to widespread misuse of the MailChannels service.

The author highlights the absence of sender identity verification, allowing anyone to register on their website for a mere $80 and employ their “normal” SMTP relay to maliciously spoof customer domains.

Furthermore, another discovery reveals the adoption of a novel email service known as ARC, which inherently reduces spam scores.

Solace Cyber’s threat researchers, utilising SMTP, have validated these findings as genuine threats, emphasising the importance of organisations implementing countermeasures promptly.

Solace Cyber Recommendations

Ensure that your organisation has adequate email safeguards activated, including SPF, DMARC, and DKIM protocols.

Confirm the integrity of your SPF records and check for the presence of MailChannels. If you do, it will look like this: “include:relay.mailchannels.net.” Ensure the necessity of all other entries in your SPF record, and if the MailChannels entry is unnecessary, remove it from your SPF configuration, along with any other superfluous entries.

Alternatively, if you require the MailChannels SPF record, add the recommended MailChannels lockdown TXT record. You may need to speak to your webhosting provider.

  1. Create a DNS TXT record following the pattern _mailchannels.yourdomain.com, replacing yourdomain.com with your domain name.
  2. In the DNS TXT record, specify one or more MailChannels account ids (auth) or sender ids (senderid) that are permitted to send emails for their domain, using the following syntax: v=mc1 auth=myhostingcompany senderid=mysenderid

Furthermore, it is advisable to evaluate your supply chain for potential vulnerabilities in their email configurations.

Useful Resources

Need help?

Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.

    Cyber Security Alert: Microsoft Teams leveraged to push DarkGate Malware

    Overview: Researchers have found that the DarkGate malware strain is being spread through phishing campaigns in Microsoft Teams by outside parties

    Risk Factor: High

    Date: August 2023

    Get Help Now

    Solace Cyber security specialists can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.

    What We Know About The Microsoft Teams Phishing Campaign Pushing DarkGate Malware

    In a recent incident, security experts at Truesec noticed Microsoft Teams messages originating from third-party accounts, delivering ZIP files that purported to be from the victims HR department.

    Initially, the attack commenced with a social engineering tactic aimed at enticing the recipient to click on the .zip file, which contained an LNK (shortcut) file masquerading as a PDF document.

    Upon execution, this file triggered a VBScript that initiated the download of a payload utilizing curl.exe and harnessed AutoIT in conjunction with a compiled AutoIT script. The outcome of this process was the detection of the file as DarkGate Malware by VirusTotal.

    The malware supports a magnitude of malicious activities including remote access tooling, cryptocurrency mining, keylogging and a built-in stealer.

    Security Awareness in Microsoft Teams

    Microsoft Teams, by default, permits external third parties to engage in communication through its platform. While many training resources focus on email as a potential threat vector, it’s crucial to educate your user base about the risks associated with external communications in Teams as well.

    It’s worth noting that even with security measures like Microsoft Safe Links and Safe Attachments in place, they may not provide complete protection against all types of threats. As seen in the incident investigated by TrustSec, there can still be vulnerabilities and risks to address. Therefore, a multi-layered security approach that includes user awareness and training is essential to bolster your organization’s defense against evolving threats in platforms like Microsoft Teams.

    Emerging Phishing Threats: What’s The Impact?

    This particular phishing campaign is still in its early days.

    Given the limited range of mitigation methods currently available and the probability that users have not been adequately trained to recognise this specific threat vector, they may be more susceptible to this tactic compared to traditional email-based attacks.

    Solace Cyber Recommendations

    Educating staff about this specific threat vector is crucial. Prioritise raising awareness, similar to efforts against email phishing attacks.

    Given the restricted options for mitigation, it’s advisable to assess external messaging permissions. Administrators have the option to create an approved list of specific organisations allowed to communicate or, alternatively, block all third-party communications.

    Additionally, it’s essential to conduct a comprehensive gap analysis of your existing AV (Antivirus) and EDR (Endpoint Detection and Response) solutions to guarantee that all endpoints are equipped with functioning and current protection measures.

    Gap Analysis Support

    Solace Cyber can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.

      Navigating the Crossroads: The Impact of Cyber Security Threats on the Automotive Industry

      In an era marked by rapid technological advancements, the automotive industry is undergoing a transformative shift. With the advent of connected vehicles, autonomous driving, and integrated smart systems, vehicles have evolved from mere mechanical machines to sophisticated computers on wheels. While this evolution brings remarkable benefits, it also introduces a new frontier of challenges, primarily in the realm of cyber security. This blog explores the growing influence of cyber security threats on the automotive industry and the measures being taken to address these challenges.

      The Rise of Connected Vehicles and Vulnerabilities

      Connected vehicles have become a symbol of convenience and innovation. However, the integration of internet connectivity into cars also presents a potential gateway for cyber attackers. Hackers can exploit vulnerabilities in infotainment systems, telematics, and communication protocols to gain unauthorised access to a vehicle’s network. This access could lead to unauthorised control over critical functions, jeopardising passenger safety.

      Autonomous Vehicles and Their Security Quandaries

      The pursuit of autonomous driving has further intensified the need for robust cyber security. Autonomous vehicles rely on an array of sensors, cameras, and data-sharing mechanisms to navigate roads safely. Any compromise in the integrity of these systems could result in accidents or even intentional harm. Protecting these vehicles from hacking attempts is crucial to ensure public trust and safety in this transformative technology.

      Data Privacy and User Information

      Connected vehicles generate an immense amount of data related to driving patterns, user preferences, and geolocation. This data is not only valuable for manufacturers but also for malicious actors seeking to exploit personal information for financial gain or other nefarious purposes. Ensuring the privacy of user data has become a significant concern, necessitating stringent data protection measures.

      Supply Chain Vulnerabilities

      The automotive industry relies on a complex global supply chain, which can inadvertently introduce vulnerabilities. If even a single component or software module is compromised at any point in the supply chain, it could potentially expose the entire vehicle fleet to cyber threats. Collaborative efforts between manufacturers and suppliers are essential to establish a chain of trust and enhance cyber security resilience.

      Industry Response and Collaborative Initiatives

      Recognising the severity of cyber security threats, the automotive industry has begun taking proactive measures. Collaboration between automakers, technology companies, and cyber security experts has led to the development of best practices, guidelines, and standards specifically tailored to the industry’s unique challenges. Organisations like the Automotive Information Sharing and Analysis Center (Auto-ISAC) have been established to facilitate information sharing and coordination among industry stakeholders.

      Integration of Security by Design

      To mitigate cyber security risks, manufacturers are increasingly adopting a “security by design” approach. This strategy involves integrating cyber security measures at every stage of a vehicle’s development lifecycle. From concept and design to manufacturing and maintenance, security considerations are embedded to create a holistic and robust cyber security framework.

      The Comprehensive Solace Cyber Solution

      As the automotive industry accelerates toward a future defined by connectivity and automation, the spectre of cyber security threats looms large. The intersection of technology and transportation has brought unprecedented conveniences and efficiencies, but it has also exposed vehicles to new forms of risk.

      Organisational compute and infrastructure, such as classic on-premises server rooms, datacentres and cloud-based services are all subject to regular attack and the colocation of many services, often with network cross over between, has simply increased the scope and availability of a reachable threat surface.

      By employing our Anticipate, Protect, and Respond strategy in the realm of cyber security, Solace Cyber has formulated a variety of service packages that can assist the industry in navigating this crossroad. These packages are built upon our core Real-time Risk Platform initially, scaling out to extend all the way up to our comprehensive safeguarding service suite of Solace Cyber Secure 360.

      By acknowledging these challenges and collectively working towards innovative solutions we can build a safer and more secure automotive landscape for everyone.

      Find out more about how Solace Cyber can support you on your cyber secure journey.

      Request a free 30-minute consultation

      If you’re concerned your business has fallen victim to a phishing or ransomware attack – get in touch with the incident response team today.

        CVE-2023-3519

        Cyber Security Alert: Citrix ADC and Gateway – Pre-Authentication RCE

        digital globe

        A critical pre-authentication vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) is currently being exploited by threat actors who have been able to execute code with zero credentials.

        Threat Name: CVE-2023-3519

        Risk Factor: Critical

        Date: July 2023

        Get Help Now

        Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.

        What we know so far about the Citrix vulnerability

        A critical pre-authentication vulnerability in the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) was discovered in the first week of July. This vulnerability is currently being exploited by threat actors and has been tracked as CVE-2023-3519, which carries a 9.8 CVSS.

        This has led Citrix to issue updates for affected products – it’s recommended that all those affected install the updates immediately.

        How the Zero Day Exploit CVE-2023-3519 works

        The vulnerability allows an attacker with zero credentials to execute code. There is no need for an attacker to worry about MFA in this scenario as its pre-authentication.  

        The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

        • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
        • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 
        • NetScaler ADC 13.1-FIPS before 13.1-37.159
        • NetScaler ADC 12.1-FIPS before 12.1-55.297
        • NetScaler ADC 12.1-NDcPP before 12.1-55.297

        Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. 

        Solace Cyber recommendations

        It is advisable to patch the system immediately and search for any web shells that may have been created, as this vulnerability has been used maliciously. The following guidance is recommended:

        Step 1) Review edited files within:

        • “/netscaler/ns_gui/”
        • “/var/vpn/”
        • “/var/netscaler/logon/”
        • “/var/python/”

        Step 2) Review HTTP error log files

        Step 3) Review shell log files

        If no exploitation can be found, then proceed with updating the following to the latest versions of Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

        • NetScaler ADC and NetScaler Gateway – 13.1-49.13 and later releases
        • NetScaler ADC and NetScaler Gateway – 13.0-91.13 and later
        • NetScaler ADC 13.1-FIPS – 13.1-37.159 and later
        • NetScaler ADC 12.1-FIPS – 12.1-55.297 and later NetScaler ADC 12.1-NDcPP – 12.1-55.297 and later

        Solace Cyber can support your efforts in upgrading to the latest software versions. Additionally, our cyber security specialists can conduct forensic analysis to detect and determine the cause of a security incident and support recovery plans.

        Speak to a cyber security specialist

        Solace Cyber offers expert assistance with critical pre-authentication vulnerabilities

          CVE-2023-27997

          Cyber Security Alert: Fortigate Vulnerability

          Fortinet has rolled out an updated version of FortiOS/FortiProxy, to address a severe SSL-VPN component vulnerability.

          Threat Name: CVE-2023-27997

          Risk Factor: Critical

          Date: June 2023

          Get Help Now

          Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis

          What we know about the Fortigate – SSL VPN vulnerability

          The vulnerability, which is tracked as CVE-2023-27997 is a pre-authentication remote code execution vulnerability, which if left unpatched, could lead to critical organisational risk.

          The SSL-VPN vulnerability would allow an attacker with zero credentials to execute arbitrary code during the pre-authentication stage. This means, the attacker could circumnavigate MFA.

          Which OS versions are affected by the vulnerability?

          • FortiOS-6K7K version 7.0.10
          • FortiOS-6K7K version 7.0.5
          • FortiOS-6K7K version 6.4.12
          • FortiOS-6K7K version 6.4.10
          • FortiOS-6K7K version 6.4.8
          • FortiOS-6K7K version 6.4.6
          • FortiOS-6K7K version 6.4.2
          • FortiOS-6K7K version 6.2.9 – 6.2.13
          • FortiOS-6K7K version 6.2.6 – 6.2.7
          • FortiOS-6K7K version 6.2.4
          • FortiOS-6K7K version 6.0.12 – 6.0.16
          • FortiOS-6K7K version 6.0.10
          • FortiProxy version 7.2.0 – 7.2.3
          • FortiProxy version 7.0.0 – 7.0.9
          • FortiProxy version 2.0.0 – 2.0.12
          • FortiProxy 1.2 all versions
          • FortiProxy 1.1 all versions
          • FortiOS version 7.2.0 – 7.2.4
          • FortiOS version 7.0.0 – 7.0.11
          • FortiOS version 6.4.0 – 6.4.12
          • FortiOS version 6.0.0 – 6.0.16

          Solace Cyber recommendations

          The disclosure of this vulnerability would likely assist adversaries in leveraging it, so its highly recommended that patches are applied before further exploitation of the vulnerability takes place.


          Above all, we strongly advise you to apply updates to the following applications:

          • FortiOS-6K7K version 7.0.12 or above
          • FortiOS-6K7K version 6.4.13 or above
          • FortiOS-6K7K version 6.2.15 or above
          • FortiOS-6K7K version 6.0.17 or above
          • FortiProxy version 7.2.4 or above
          • FortiProxy version 7.0.10 or above
          • FortiProxy version 2.0.13 or above
          • FortiOS version 7.4.0 or above
          • FortiOS version 7.2.5 or above
          • FortiOS version 7.0.12 or above
          • FortiOS version 6.4.13 or above
          • FortiOS version 6.2.14 or above
          • FortiOS version 6.0.17 or above

          Solace Cyber can support your efforts in upgrading to the latest software versions. Additionally, our cyber security specialists can conduct forensic analysis to detect and determine the cause of a security incident and support recovery plans.

          Get help with a VPN vulnerability

          Solace Cyber offers expert assistance in managing a VPN exploitation.

            Zero Day Exploit
            CVE-2023-34362

            Cyber Security Alert: MOVEit Transfer Vulnerability

            The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability.

            The impact is still yet to be fully materialised.

            Threat Name: CVE-2023-34362

            Risk Factor: High

            Date: May 2023

            Get Help Now

            Solace Cyber security specialists can provide technical guidance for assessing a potential supply chain risk

            What we know about the MOVEit Transfer vulnerability

            The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability. This in turn allows the adversary to drop a web shell on the host inside the MOVEit wwwroot directory. After which time, the attacker could then download any file within MOVEit and install a backdoor.

            A known breach involving Zellis, a supplier of IT services for payroll and human resources says a “small number” of organisations have been affected.

            The ransomware group “Cl0p” has posted on their ransomware site that they are exploiting the MOVEit vulnerability. Microsoft have also attributed the attack to Cl0p. The recent attacks do not show signs of encryption, although there is potential for this to occur as well as lateral spread.

            The group states on their Darknet page that they’ll post the names of the organisations compromised on June 14th 2023 if the targeted organisation hasn’t already contacted them. In the past 24 hours the BBC, Boots and British Airways have confirmed they’ve been impacted.

            The UK’s National Cyber Security Centre said it was “monitoring the situation” and urged organisations using the compromised software to carry out security updates. As of today, results from internet reconnaissance show that there are 127 instances in the UK of the MoveIT Transfer application and 1853 in the US.

            What’s the impact of the zero-day exploit?

            Due to the growing number of compromised organisations and the current supply chain spread the impact is still yet to be fully materialised.

            Organisations without the vendor’s latest patch against CVE-2023-34362 should assume breach and conduct investigative and remediation efforts where the service is publicly accessible.

            Solace Cyber recommendations

            Where applicable we recommend organisations:

            1. Disconnect MOVEit Transfer servers from the internet
            2. Search for indicators of compromise
            3. Rotate credentials for Azure storage keys / Rotate any other SQL credentials
            4. Perform a forensics investigation of your affected servers
            5. Restore and rebuild from a backup of the systems last known good state
            6. Apply the patch
            7. Continuously monitor all systems

            Solace Cyber is here to help with technical guidance to assess a potential supply chain risk or give further support to the recommendations above.

            Speak to a cyber security specialist

            Solace Cyber offers expert assistance in managing potential supply chain risks.

              Zero Day Exploit
              CVE-2023-23397

              Critical Vulnerability for Microsoft Outlook

              Microsoft Outlook has a critical vulnerability Critical 9.8 (CVSSv3) that requires zero interaction to be successful.

              Microsoft has released a patch for Outlook.

              Threat Name: CVE-2023-23397

              Risk Factor: Critical

              Date: April 2023

              Get Help Now

              Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis

              What we know so far about Microsoft Outlook zero day exploit

              The vulnerability has been exploited by the threat group APT28, also known as Fancy Bear, Sofacy, and STRONTIUM since April 2022.

              It was initially reported to Microsoft by the Ukrainian CERT. According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.

              Currently 15 organisations are believed to have been targeted or breached using CVE-2023-23397.

              Solace Cyber Head of Incident Response believes with high certainty that this particular vulnerability will be used by other threat actors – equating to a vast quantity of attacks in the coming days to weeks.

              As of 16/03/2023 proof of concept code has been developed by security researchers and it is likely to be used in subsequent attacks by other threat actors.

              How Zero Day Exploit CVE-2023-23397 works

              The attack involves the attacker sending an Outlook note or task to the victim, triggering the notification sound file mechanism, which sends an NTLM negotiation request to the attacker-controlled SMB share. The threat actors accomplish this using extended MAPI properties that contain UNC paths. The vulnerability can be exploited with a simple, specially crafted email, even if the victim doesn’t open the item.

              However, it’s worth noting that this vulnerability cannot be exploited with Outlook for iOS, Mac, or Outlook for Android. Nevertheless, it affects all Windows versions of Outlook that are currently supported.  

              Who is at risk from the Microsoft Outlook Zero Day Vulnerability

              • Organisations that have on-premises domain controllers and use outlook.
              • Organisations that only use Azure AD only and have no on-premises domain controllers are protected.  

              Note: Those at a higher risk include remote workers due to home firewalls that do not block SMB traffic.

              Solace Cyber Recommendations to mitigate risk

              1. Immediately patch all Outlook clients to the latest available version (Microsoft released the required software update this Tuesday).

              This can be done by emailing all end users to advise a manual update of Microsoft Office (click-to-run) or updating via alternative methods. If you require assistance with auto-patching solace cyber can assist.

              • Launch any office application. Microsoft Outlook, Word, Excel or PowerPoint.
              • Select File > Office Account.
              • Update Options > Update Now.
              • Allow update process to complete (Approximate time to complete: < 15 mins)

              1. Additionally, organisations are strongly advised to run Microsoft’s script to look for signs of compromise in user’s mailboxes.

              Preferably this is run in audit mode only so that forensic data can be reviewed. If the script produces results it is recommended that you review the UNC paths in the outlook items to ensure no exploitation has occurred. 

              1. Ensure SMB outbound connections are blocked on your organisations firewall.

              Speak to a cyber security specialist

              Solace Global can conduct forensic audits and patching to secure your estate from Microsoft Outlook zero-day vulnerability

                Confirmed Zero-Day vulnerabilities in Microsoft Exchange Server

                Cyber security update: Confirmed Zero-Day vulnerabilities in Microsoft Exchange Server

                As of 4th October 2022, Microsoft have confirmed that two Zero-day vulnerabilities affect Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft have stated that Exchange Online customers do not need to take any action, however if you have a Hybrid Exchange infrastructure this advice still applies.

                Further updates and details on the potential vulnerability can be found here

                In addition to Microsoft guidance, Solace Cyber recommend that the mitigation be further tightened by altering the URL block string:

                .*autodiscover\.json.*Powershell.*

                Solace Cyber are offering an initial consultation to determine if a compromise has already occurred and can action any implementation required to secure your operations.

                This update is correct as of 12.23 GMT on 4th October 2022. The situation continues to develop rapidly, so please contact the team for an initial conversation with the latest advice.

                Determine if you have been affected by Windows Exchange vulnerability

                Receive a free initial consultation to determine if a compromise has already occurred and can action any implementation required to secure your operations.