A security researcher who identified holes in SCADA software used by utilities in China has issued a new warning to that country’s CERT about insecure Web infrastructure, including an e-mail server that allows any Web user to create their own Chinese government mail account.
Dillon Beresford, a security researcher at NSS Labs, notified China’s Computer Emergency Response Team (CERT) on Wednesday about a hole in the mail server for Guizhou Province that allows any user to create a new mail account and log in to the Provincial government’s mail server. The critical hole is just one example of what Beresford said is a public sector Web infrastructure that is rife with vulnerable and insecure applications, despite China’s popular reputation as an aggressor in the arena of cyber espionage and cyber warfare.
The vulnerable e-mail server doesn’t require users to authenticate to it with a user name and password and lacks proper access controls, Beresford wrote in the e-mail, which was shared with Threatpost. Threatpost verified that the script allows unauthenticated users to
create e-mail accounts for the Internet domain for Guizhou Province,
which is located in southwestern China, one of the country’s coal
producing regions.
“The ramifications behind the security hole are extremely serious,” he said in an e-mail addressed to China’s CERT and official email addresses for the province. “An attacker could represent themselves as an official from the Chinese Government and use the accounts to socially engineer and attack other Government workers in the People’s Republic of China,” Beresford wrote.
A moderately sophisticated user could also leverage access to the Webmail server to escalate their privileges. Beresford confirmed that the server in question was vulnerable to SQL injection attacks that could give a hacker access to other e-mail accounts, as well.
This is just the latest vulnerability Beresford has discovered in critical infrastructure in China. In January, Beresford publicized what he said were serious flaws in industrial automation software by KingView that is used widely within China.
Beresford said he discovered the hidden registration pages while doing research. “They had no proper access control.” Beresford tried to contact the individual responsible for the domain, but that e-mail bounced, prompting him to escalate the issue to China’s CERT. The danger, he said, is that casual Internet users could create email accounts purporting to be Chinese officials, then use those in spear phishing attacks against other governments or private firms.
The U.S. media has, for months, raised alarms about what are believed to be Chinese government sponsored attacks on vulnerable government and private sector networks in the U.S. Most recently, Reuters cited documents provided to Wikileaks and confidential State Department sources in describing a far flung cyber espionage program against U.S. targets by the PRC dubbed “Byzantine Hades.”
Despite the impression that the U.S. is a helpless victim of Chinese cyber intrusions, Beresford said that China’s computer defenses don’t seem to be any more secure – and in fact, many are trivial to exploit, by Western standards.
“Its safe to say that these government sites aren’t using Joomla,” he said, referring to the open source content management system. “They’re using software developed in house, in China and its very, very vulnerable,” he said.
That was the case with the vulnerabilities in Chinese SCADA systems. Ultimately, China’s CERT admitted that it missed a crucial e-mail from Beresford identifying that hole. The organization promised to revamp its reporting procedures so e-mails received off hours are not missed.