Nov 15, 2021
80 Views
0 0

Thousands of Emails Sent After Hacker Leverages FBI Website Vulnerability

Written by

Over the weekend, a hacker infiltrated the Federal Bureau of Investigation’s email server and more than 100,000 spam emails were sent from an official FBI email address: eims@ic.fbi.gov. 
Oddly enough, the fake email’s subject line read “Urgent: Threat actor in systems.” 
What information the phony email contained, however, reads like the plotline of an undercover hacking film script with rumors Nicholas Cage could be in the starring role. 
Upon further investigation of the technical details, it shows a vulnerability in the FBI’s Law Enforcement Enterprise Portal (LEEP) may have opened an opportunity for the hacker to send the emails about a hoax cyberattack. 
The Spamhaus Project, an international organization that brings awareness to spam emails, shared this tweet, which included an image of the phony email.
In the email, which had grammatical errors and signs off from the U.S. Department of Homeland Security’s Network Analysis Group without a contact, it suggests Vinny Troia, a well-known cybersecurity evangelist and white hat hacker for Night Lion Security, is responsible for a dangerous cyberattack that could threaten the email recipient’s networks.  
These emails look like this:

Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: eims@ic.fbi.gov
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh
Here is a transcript of the email:
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attacks with fastflux technologies, which he proxies trough multiple global accelerators.
We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDark0verLord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe.”
The domain from which the email was sent appears to be connected to the FBI’s Criminal Justice Information Systems (CJIS).
In an article by Krebs on Security, technical details of the cyber incident are explored and sources surmise the attack was done to reveal this glaring vulnerability in the FBI’s website. 
“Needless to say, this [vulnerability] is a horrible thing to be seeing on any website. I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI,” Pompompurin, the alleged hacker, said.
One Twitter user mused about the possibility of this incident being one big “gotcha” moment for the FBI.
Hacking an FBI app or server and sending out prank emails as the Bureau…
Like calling prison and making reservations.
According to U.S. law, hackers who are convicted of committing fraud or breaking into a network without authorization could face prison time, be ordered to pay fines, or some combination of the two.  
Further, the email was sent out in the wee hours of the morning, which could have been troubling for on-call security staff, as Kevin Beaumont,  Head of Security Operations Centre for Arcadia Group, suggested. 
If anybody is wondering how companies managed to think the email was real, it went out in the early hours of the morning.

Your CISO and leadership team aren’t online. Incident response kicks in, RIP those on call getting the call about FBI attack notification at 2am. pic.twitter.com/0BeJClciox
In a statement released by the FBI on Sunday, its network was not compromised. 
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.
While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
#FBI Statement on Incident Involving Fake Emails @CISAgov https://t.co/pkF8qtAeH1 pic.twitter.com/Wg4cOerFpE
At this time, an investigation is ongoing.
In the meantime, the FBI is encouraging organizations to report any unusual activity to www.ic3.gov or www.cisa.gov.  
The SecureWorld News team will continue to provide updates as the story continues to unfold.
Register to attend one of SecureWorld’s upcoming virtual conferences to learn more about cybersecurity topics related to this story.
Vinny Troia was featured on The SecureWorld Sessions podcast, discussing his research into The Dark Overlord. Listen below.
 

source

Article Categories:
Cybersecurity News

Comments are closed.