B.C. government email servers infected by malware

    1 of 1 2 of 1

      You know those emails from your bank asking you to click on a link going to a suspicious-looking domain?

      Apparently, even people who work for the B.C. government can be fooled by these kinds of things too.

      Check out the statement just issued by Bette-Jo Hughes, chief information officer at the Ministry of Technology, Innovation and Citizens' Services:

      This morning a computer virus caused by a malicious file attachment has infected the government's email servers. As soon as we became aware of the issue, we took immediate steps to mitigate the exposure to the government network and protect against the loss of information.

      Government takes this matter very seriously. As a precaution, we have temporarily disabled our email servers while we work with our vendors to resolve the issue.

      Protection of our data and networks is a top priority and we are working with our vendors to remove and secure the e-mail system as quickly as possible.

      This might not be the end of this story. Stay tuned.

      Comments

      9 Comments

      How does an email infect an email SERVER?

      Dec 19, 2014 at 3:54am

      That's got me baffled - anyone care to enlighten? (I assume the answer is: "Microsoft, duh".)

      Also curious, by running:

      dig -t any gov.bc.ca | grep MX

      we can see their email server (no fall-back) is "inbound.smtp.gov.bc.ca".

      When running

      telnet inbound.smtp.gov.bc.ca 25

      I get it identifying itself as ESMTP GEMS.

      What SMTP server is that? I don't recognize it.

      @How does an email infect an email SERVER?

      Dec 19, 2014 at 9:55am

      Port 25 has been blocked in gov agencies for awhile now..

      And it's because of malicious software.

      Port 25 open - try it

      Dec 19, 2014 at 11:12am

      I found it was open after this story went up, as shown by the telnet command to port 25 in comment #1.

      It's handy to have it open to ... receive email.

      And there are lots of ways to protect the SMTP daemon: SELinux, grey listing, fail2ban, and of course, such as:

      mynetworks,
      smtpd_recipient_restrictions,
      ...

      They must be a Microsoft shop is my only guess.

      Anyway, port 25 is open as of right now:
      <code>
      telnet inbound.smtp.gov.bc.ca 25
      Trying 142.32.11.121...
      Connected to inbound.smtp.gov.bc.ca.
      Escape character is '^]'.
      220 birch.itsd.gov.bc.ca ESMTP GEMS Fri, 19 Dec 2014 11:11:06 -0800
      </code>

      Port 25 is to send..

      Dec 19, 2014 at 12:52pm

      Not receive email. 110 is to receive ;)

      Port 25 is SMTP: Send and receive

      Dec 19, 2014 at 4:35pm

      Port 25 is the port on which they also *receive* their email messages from, say, Gmail.

      110 is POP3, for stand-alone email *clients* to connect to in order to receive messages.

      The gov't SMTP server on port 25 is also receiving their email from outside domains.

      Anyway, this comment seems too coincidental to be a coincidence:
      http://it.slashdot.org/comments.pl?sid=6451915&cid=48637053

      <blockquote>The organization I work for is a contractor for the government of a North American jurisdiction, and yesterday morning I started getting reports that some sort of virus-laden emails were flowing out of this government's networks.</blockquote>

      They use sendmail

      Dec 19, 2014 at 6:10pm

      <code>
      telnet inbound.smtp.gov.bc.ca 25
      Trying 142.32.11.122...
      Connected to inbound.smtp.gov.bc.ca.
      Escape character is '^]'.
      220 spruce.itsd.gov.bc.ca ESMTP GEMS Fri, 19 Dec 2014 18:07:06 -0800
      helo straight.com
      250 spruce.itsd.gov.bc.ca Hello 1.2.3.4.cable.teksavvy.com [1.2.3.4] (may be forged), pleased to meet you
      help
      214-2.0.0 This is sendmail
      214-2.0.0 Topics:
      214-2.0.0 HELO EHLO MAIL RCPT DATA
      214-2.0.0 RSET NOOP QUIT HELP VRFY
      214-2.0.0 EXPN VERB ETRN DSN AUTH
      214-2.0.0 STARTTLS
      214-2.0.0 For more info use "HELP <topic>".
      214-2.0.0 To report bugs in the implementation see
      214-2.0.0 http://www.sendmail.org/email-addresses.html
      214-2.0.0 For local information send email to Postmaster at your site.
      214 2.0.0 End of HELP info
      </code>

      I'm guessing their workstations are infected, <b>not</b> their email servers.

      Security 101

      Dec 20, 2014 at 1:02pm

      Why would anyone bother targeting the BC Government email servers that's a useless target.

      Most likely this is Malware Spam that is generally sent out and someone opened it thus infecting their workstation.

      TCO - Total Cost of Ownership

      Dec 20, 2014 at 4:33pm

      <blockquote>Most likely this is Malware Spam that is generally sent out and <b>someone opened it thus infecting their workstation</b>.</blockquote>
      Very likely.

      And our tax money is spent on this software, with upgrades every ? 1-3 years ?

      And it can get "owned" with clicking on an attachment. Sheesh, talk about "unsafe at any speed".

      BC should be like Munich and start a switch to open standards / open source software.

      Any customized 3rd party software can be built / rebuilt right here in BC. It's good for the economy.

      Plus, while it's not something the government is good at, they need to be thinking long term. i.e. if someone needs to access a document from 1997 (or 2015) in, say, 2035 - does anyone believe MS Office will support today's formats?

      They change file formats a couple times a decade just to force upgrades to keep profits up.

      Save in ODT / ODS (Open Document Text | Spreadsheet) and guarantee future compatibility!

      fnord

      Dec 20, 2014 at 5:43pm

      force a bounce and you'll see sendmail is only the mx, the backends are ms exchange.