Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Congress Blocks Yahoo Mail and Google Appspot

Congress is tightening security by controlling its users’ access to certain cloud services. This includes blocking Yahoo Mail and applications running on Google’s appspot.com domain.

Congress is tightening security by controlling its users’ access to certain cloud services. This includes blocking Yahoo Mail and applications running on Google’s appspot.com domain.

A letter from IT staff to ‘all House staff’ dated 30 April warns of an increase in phishing attacks aimed at delivering ransomware. Obtained by Gizmodo the letter goes on to say, “The House Information Security Office is taking a number of steps to address this specific attack. As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.”

The ransomware is delivered as zipped .js attachments with email that appears to come from known senders and primarily via Yahoo Mail.

“The problem with many phishing attacks,” explains Spamhaus Commercial Director, Simon Forster, “is that they can be, and frequently are, initiated from a compromised email account at a big email provider. Compromised, legitimate email accounts make the phishing problem more difficult to address. Few organizations receiving email have the moxie to block all email from a large freemail provider, but,” he told SecurityWeek, “effectively that’s the final solution to mass phishing attacks from compromised accounts.”

The House letter calls on staff to “Please do your part to help us address this recent attack and protect the House Network going forward by following proper cyber practices at all times.”

Nothing in this letter suggests whether any phishing attempts were successful, nor what type of ransomware was being used. However, a separate report from Reuters yesterday adds a little detail: “Two individuals fell victim to ransomware by clicking on infected Word document email attachments, sources familiar with the hacking said. The infected files were able to be recovered without paying any ransom, the sources said.”

There is no indication on what ransomware was involved, how it was contained, nor the manner in which files were recovered. If it was constrained to the individual workstations concerned, then recovery could have been effected from back-ups. It is also possible that the IT staff were able to crack the encryption, depending on what ransomware was used – but this is less likely.

The Reuters report claims that the House is also blocking users’ access to Google’s cloud based appspot. “We began blocking appspot.com on May 3 in response to indicators that appspot.com was potentially still hosting a remote access trojan named BLT that has been there since June 2015,” one of the sources, a House staffer with direct knowledge of the situation, told Reuters.”

The FBI had warned, “Trojan.BLT will test network connectivity by establishing a connection with a legitimate website. This malware is capable of bypassing dyndns categorization by using a proxy through Google AppProxy’s hosted on appspot domains.”

It would seem that there is no blanket ban on access to webmail nor cloud apps on the House network. Many organizations seek to keep such traffic within a separate ‘guest’ network firewalled away from the ‘corporate’ network. “Having a guest network is a nice way to allow users to access non approved services,” Aftab Afzal, SVP at NSFOCUS IB told SecurityWeek.

F-Secure’s Sean Sullivan believes that this is the official set-up. “Congressional staff need to go to another building and/or computer for campaign related activities,” he told SecurityWeek. “Government machines are used for government business only.

I suspect access to Google and Yahoo! mail is done by staffers seeking to communicate with family members – personal business during a break.”

The risk is likely happening, said Rich Barger, chief Intelligence officer at ThreatConnect, “because lawmakers and their staff are introducing risks – such as ransomware – from their personal Google and Yahoo accounts into U.S. House of Representatives infrastructure.” Adversaries are keen on targeting the vulnerable user versus the vulnerable asset. “Our nomadic usage of personal email services can unknowingly introduce risks into our employer’s enterprise,” he added.

“If webmail or web serves were being used as business tools,” commented Afzal, “then separating them on a guest network would have been hard to manage and would have been counterproductive. It is better to enable and empower people to use latest tools by having a list of approved services / applications that is constantly reviewed and revised in line with current vulnerabilities. From the [Reuters] report this is exactly what happened and is the best approach.”

Both Yahoo and Google have said they are working with the House to resolve the issues.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility