FBI email server hacked, distributes fake cyberattack warnings

Sicherheit (Pexels, allgemeine Nutzung)[German]It's been going around Twitter for a few hours now: the Federal Bureau of Investigation's (FBI) email servers were hacked. The attackers then sent out hundreds of thousands of urgent warnings about alleged cyberattacks to numerous recipients. Administrators struggled to deal with these emails, which carried the FBI as the sender but were easily identifiable as SPAM. Here's a brief overview.


Advertising

It's simply unbelievable what was going on in the U.S. early Saturday. Administrators were battling hundreds of mails from the Federal Bureau of Investigation (FBI) warning of a "sophisticated chain attack" by an Advanced Thread Actor. The thread actor's name was Vinny Troia, Troia is the head of security research at dark web intelligence companies NightLion and Shadowbyte – someone must have had a real sense of humor.

I had seen first reports during Saturday (here in Europe), as US security blogger Brian Krebs had received such an email, which he shows in the following tweet.

FBI email server hacked

The non-profit organization SpamHaus confirms in a tweet that the emails really come from the FBI/DHS (Federal Bureau of Investigation/ Department of Homeland Security). But the emails are all fakes. SpamHaus noted that tens of thousands of these messages were sent in two waves, but believes this is only a small part of the campaign. The following tweet assumes more than 100,000 fake emails has been send, and shows an excerpt of one such email.

Fake warning from FBI mail server


Advertising

The message text reads:

Our intelligence monitoring indicates exfiltration of several of your 
virtualized clusters in a sophisticated chain attack. We tried to
blackhole the transit nodes used by this advanced persistent threat
actor, however there is a huge chance he will modify his attack with
fastflux technologies, which he proxies trough multiple global 
accelerators. We identified the threat actor to be Vinny Troia,
whom is believed to be affiliated with the extortion gang 
TheDarkOverlord, We highly recommend you to check your systems 
and IDS monitoring. Beware this threat actor is currently working 
under inspection of the NCCIC, as we are dependent on some of his 
intelligence research we can not interfere physically within 4 hours, 
which could be enough time to cause severe damage to your infrastructure.

Stay safe,

U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group

Meanwhile, the FBI and CISA posted the following tweet with a link to a related statement on the incident. The statement reads:

FBI statement about email server hack

November 13, 2021

FBI Statement on Incident Involving Fake Emails

The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov.

The colleagues from Bleeping Computer have now published this article with some details. It is suspected that they probably wanted to harm the security researcher Vinny Troia.

Alleged hacker angry about FBI coding hole

Security blogger Brian Krebs has been contacted by someone with the alias pompompurin, who claims to be the author of the hack. He told Krebs that the hack was carried out to point out a glaring vulnerability in the FBI's system.

According to Pompompurin, the Law Enforcement Enterprise Portal (LEEP) provided illegal access to the FBI's email system. The FBI describes the LEEP as a gateway that provides law enforcement, intelligence groups and criminal justice agencies access to useful resources.

Until Saturday's incident, anyone could apply for an account through the LEEP portal. When registering, the applicant must provide personal information and contact information for their organization. In doing so, the applicant receives an email confirmation from eims@ic.fbi.gov with a unique passcode . This is to be able to confirm that the applicant can receive emails under the domain in question.

According to Pompompurin, the FBI's own website shared this one-time passcode in the website's HTML code. To Krebs on Security, Pompurin stated that "they" were able to send themselves an email from eims@ic.fbi.gov by editing the request sent to their browser and changing the text in the "Subject" and "Text Content" fields of the message. Krebs quotes Pompompurin:

If you requested the confirmation code, it was generated client-side and then sent to you via a POST request. This POST request contains the parameters for the subject and content of the email.

Pompompurin developed a simple script that replaced the parameters with his own message subject and text and automated the sending of the fake message to thousands of email addresses. To this, the hacker says:

I could have used this 1000% to send even more legitimate-looking emails, trick companies into handing over data, etc. And no one responsible would have ever discovered this because of the notice the FBI posted on its website.

Meanwhile, the LEEP portal's confirm feature has been disabled. Details of the above have been documented by Brian Krebs in this article above with screenshots. The FBI has confirmed a misconfigured software allowed sending the fake emails, as you can read in a tweet from Bleeping Computer.

FBI statement


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).