Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Security Breaches
  •  
andrewrob

Messages: 70
Karma: 3
Send a private message to this user
In the last week we have had 3 security breaches.

I have had nothing in the security logs so whover hacked knew the username and password for the accounts.

They sent out 50 emails (which is the max anyone can send in an hour) all to people in that users address book. The email only contained a link to a health medicine company.

I looked up the IP addresses which were different for each user and it says it originated in the USA.

Here is the headers of the email which give a way no clues to me:

Return-Path: <ouruser<_at_>ourdomain.com>
X-Envelope-To: userinpersonsaddressbook
Received: from localhost ([98.92.151.39])
(authenticated user ouruser<_at_>ourdomain.com)
by ourserver (Kerio Connect 8.1.0)
(using TLSv1/SSLv3 with cipher AES256-SHA (256 bits))
for userinpersonsaddressbook;
Thu, 2 May 2013 01:38:38 +0100
Date: Fri, 5 Apr 2013 00:35:57 +0100
From: <ouruser<_at_>ourdomain.com>
To: <userinpersonsaddressbook>
Subject: FW:
Content-Type: text/plain;

http://www.jaok.sakura.ne.jp/92p4ad.php


Does anyone have any ideas? My initial thoughts are that the hackers have got a password from another source and then used it against our server. For example 2 of the users were dropbox users.
  •  
kadybee

Messages: 10
Karma: 0
Send a private message to this user
There's been a spate of password stealing virus/trojans doing the rounds in the past couple of months. I know they are getting the user/pass for email from computers and also try to setup keyloggers to get banking passwords etc.

The user gets infected via phishing type emails that look like legit invoices/tracking documents etc. User opens the attached exe file (thinking it's a PDF or zip).

They use the stolen mail details to send out further spam. It's very hard to pick and the first sign is usually the user complaining of their inbox filling up with bounced messages. If you see a lot of undeliverables in the mailq, stop that, figure out the user and change their password.
  •  
andrewrob

Messages: 70
Karma: 3
Send a private message to this user
The wierd thing is these are all macs which so far have been safer for these things.

Thats exactly what I did, reset their passwords.

Problem is that the more this happens the more we have to keep an eye on it. If you dont pick it up quickly enough then your server gets blacklisted.
  •  
kadybee

Messages: 10
Karma: 0
Send a private message to this user
As they are Macs it wouldn't be from the email sources I suggested. There are a few password stealing Mac trojans in the wild. They are generally hidden within what looks to be a legit app/program. There's plenty enough 'file sharing' and 'game hacks' etc for Macs to spread these things.

  •  
andrewrob

Messages: 70
Karma: 3
Send a private message to this user
Another one just got hacked. These users are not opening any emails or clicking on anything. Could the passwords be being harvested from another online source?

Here is latest log entry in mail log:

[07/May/2013 09:51:18] Recv: Queue-ID: 5188c084-00005d29, Service: SMTP, From: <myuser>, To: <recipient>, Size: 471, Sender-Host: mb82336d0.tmodns.net, User: myuser, SSL: yes, Subject: FW:
[07/May/2013 09:51:19] Sent: Queue-ID: 5188c084-00005d29, Recipient: <recipient>, Result: delivered, Status: 2.0.0 , Remote-Host: 127.0.0.1
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
This will happen if people use the same passwords for multiple services or sites.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
clan

Messages: 232
Karma: 21
Send a private message to this user
andrewrob wrote on Tue, 07 May 2013 11:15
Another one just got hacked. These users are not opening any emails or clicking on anything. Could the passwords be being harvested from another online source?

Could this just be weak passwords? Are your users using the same passwords somewhere else? Do they access KC webmail with other clients than your Macs, maybe from home?
  •  
generic_penguin

Messages: 45
Karma: 10
Send a private message to this user
I am actually getting the same problem as well and It looks to be across multiple clients of mine, all using Kerio Mail sever. In each case I have reviewed the security.log files and can confirm that no password guessing occurred prior to breach, Thereby ruling out any "Brute Force, password dictionary" attacks.
In last case of one client having 4 staff accounts breached they were using ONLY SSL services and non SSL services were off which rule out "Man in the Middle" attacks
In the last case of this happening the client had Sophos Antivirus running on all staff computers and no virus picked up on these machines before or after these events. This rules out traditional "Key logger" attacks on staff machines.
Passwords were minimum of 8 characters and combination of letters and numbers so passwords were not weak, even if they were weak no password guessing prior so that rules that out.
In 3 of 4 b reaches staff only accessed there mail from Apple computers running Apple Mail and IMAPS and iphones and ipads using Activesync. No PC as used to access emails either.
User passwords were stored using Apples Open Directory and not local to the mail server.
In each attack the attacker only sent a small volumes of SPAM emails, had the mail server been a large install with alot of volume the attack would most likely not be spotted easily.

There looks to be a larger issue here... Kerio ?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Kerio Connect has no access to passwords stored in Open Directory (Kerberos database). It can verify the password entered by the user but can't read it.
So I think the only way how to get user's password is to hijack the communication between the client and server (eg. if the client is using public wi-fi) or when the user is using the same email/password login for other web services.
  •  
generic_penguin

Messages: 45
Karma: 10
Send a private message to this user
If you are using SSL on these services only, you can't hijack communications correct .
Possibility does exist that all staff, independent of each other could all have been tricked into giving password into a bogus website. But given that people compromised in this situation were in different parts in the country getting them all to be tricked the same way would be difficult but not impossible.

Can Kerio help here, I know that you can setup at a per user basis that ability to limit services to a user either on or off or based on IP. I note that in all these breaches they have used SMTP as the service to send out spam, Can SMTP (send email, not receive) be added to the service's that can be restricted in future revisions of Kerio ???

Also it would be good to have an auto updating service, like Grey listing where IP's can be allocated to a Country iP group and we could enable services per user on Country location. This can not be done at a firewall level as SMTP service (port 25) is used for sending and receiving. The trick would be to limit only the sending of emails based on country and not the receiving on a per user basis.
  •  
mpermann

Messages: 96
Karma: 0
Send a private message to this user
We're not using Open Directory for passwords on our setup and we've had some people that have had their accounts compromised. We don't force SSL, but that is what is bookmarked in peoples browsers. Sure, it's possible people have weak passwords or are using the same password on multiple accounts. It's also possible they are using the non-secure web address. We use the web interface for accessing email. We also have people with mobile devices (iPad, iPhone, Android devices) configured to access their email accounts. Like generic_penguin, the volume of spam these compromised accounts are sending out is relatively small from what I can tell. Other times we've seen accounts hijacked it was because staff fell for phishing attempts and voluntarily gave their credentials to the spammers. These account highjackings were not proceeded by any phishing attempts that we know of. We're mainly a Mac only environment and all of our systems have Symantec Endpoint Protection installed. So trojans/viruses are the least likely cause. While our staff aren't always on our network when they use email, they are more likely than not on their home network or a schools network. While it's strange to be seeing this sort of attack, it's useful to know we're not the only ones experiencing this issue.
  •  
InterHmai

Messages: 35
Karma: 0
Send a private message to this user
We had a user with their account compromised also this past weekend, in a similar fashion, spamming out about 50 emails randomly with a link to:

http://www.funtofun.co.jp/xxxxxxxxx.php

OD on OSX 10.6.8, Kerio 7.4.3 on MacOSX 10.5.8, no indication of a brute force attack. User mentioned he accessed webmail from a hotel back in Feb, and I was going to leave it at that until I saw this thread.

Can you guys who also had similar issues post your relevant server specs? Maybe its related.

[Updated on: Tue, 07 May 2013 21:14] by Moderator

  •  
mpermann

Messages: 96
Karma: 0
Send a private message to this user
Do you guys force SSL for the webmail like generic_penguin or do you allow them to access through regular http?
  •  
InterHmai

Messages: 35
Karma: 0
Send a private message to this user
mpermann wrote on Tue, 07 May 2013 19:02
Do you guys force SSL for the webmail like generic_penguin or do you allow them to access through regular http?


Yeah all our connections are SSL.

Ours has the same signature as andrew's log, except ours connected from a DHCP Charter cable connection in Leeds, Alabama.

[Updated on: Tue, 07 May 2013 19:08]

brandonh75

Messages: 48
Karma: 0
Send a private message to this user
We had this happen over the weekend as well for one user. She had a weak password, so I was chalking it up to that, and it has been changed. She uses PC, Mac, and iPad outside of the office. There was no indication of password guessing, it just started. It was sent out to about a dozen addresses (both internal and external) three times over the course of a few minutes. These addresses were not in her KC account contacts list.

We have KC 7.4.2 running on Windows Server 2003 Enterprise. Non-secured connections are allowed internally, but not from outside our firewall. The IP came up as a Sprint Mobile number. We haven't use Sprint in a while.

It contained the link: http://kyokushin-aoki.sakura.ne.jp/www/xxxxxxxxx.php

One of our users (so far) clicked on the link. She said the site looked like a news site with a headline about some kind of diet. She immediately closed it. I ran a virus scan on that PC and didn't find anything.

X-Vipre-Scanned: 00D72F8C00447800D730D9
Return-Path: <sender<_at_>company.com>
X-Footer: bWFja2luLmNvbQ==
Received: from localhost ([173.132.68.95])
(authenticated user sender<_at_>company.com)
by server.company.com (Kerio Connect 7.4.2)
(using TLSv1/SSLv3 with cipher AES256-SHA (256 bits))
for recipient<_at_>company.com;
Sat, 4 May 2013 14:09:07 -0500
Date: Sun, 7 Apr 2013 19:06:49 +0100
From: <sender<_at_>company.com>
To: "Recipient" <recipient<_at_>company.com>
Subject: FW:
Content-Type: text/plain;


[Updated on: Tue, 07 May 2013 21:13] by Moderator

Previous Topic: Kerio - OpenNMS Notifications via XMPP
Next Topic: Failed to start XMPP service.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Aug 21 15:54:42 CEST 2017

Total time taken to generate the page: 0.00582 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.