The email servers of the FBI were hacked to distribute spam email impersonating the Department of Homeland Security (DHS) warnings of fake sophisticated chain attacks from an advanced threat actor. The message tells the recipients that their network has been breached and that the threat actor has stolen their data.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord” reads the message.
Curiously, the fake emails claim that the attack was carried out by a threat actor known as Vinny Troia, who but Troia i is the head of security research of threat intelligence firms NightLion and Shadowbyte.
The international nonprofit organization Spamhaus Project that monitors spam campaigns warned of emails that purport to come from the FBI/DHS. The fake warnings are apparently being sent to addresses scraped from ARIN database.
The fake emails were sent from the IP address 153.31.119.142 (mx-east-ic.fbi.gov), the sender appears to be the Federal Bureau of Investigation’s Law Enforcement Enterprise Portal (LEEP) ([email protected]).
Vinny Troia blamed a threat actor known as “pompomourin,” as the author of the attack.
On November 14, the FBI published an update following the initial statement on the incident involving fake emails:
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.” reads the statement.
The popular investigator Brian Krebs interviewed Pompompurin who explained that the hack was done to point out a glaring vulnerability in the FBI’s system.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin told Krebs. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin added. “This post request includes the parameters for the email subject and body content.”
Pompompurin used a script to replace those parameters with his own message subject and body, and automated the sending of the hoax message to thousands of email addresses.
“Needless to say, this is a horrible thing to be seeing on any website,” Pompompurin added. “I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, FBI)
[adrotate banner=”5″]
[adrotate banner=”13″]