FBI email server hacked, fake cyberattack warnings sent to thousands targeting respected security expert


Powered by

Get the latest BPR news delivered free to your inbox daily. SIGN UP HERE


Hackers reportedly gained access to and used an internal FBI email server on Saturday to transmit emails to thousands of organizations warning that an otherwise well respected cybersecurity researcher was trying to commit an “attack” on their own servers.

According to The Spamhaus Project, an internationally recognized group that fights computer crime, the emails came directly from [email protected] — a legitimate FBI account that’s reportedly part of the bureau’s Law Enforcement Enterprise Portal (LEEP).

But despite an FBI email address, the hackers pretended to be affiliated with the U.S. Department of Homeland Security.

“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators,” the emails read.

We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security.”

A screenshot of the emails may be seen in the tweets below posted by Spamhaus:

In the tweets, Spamhaus makes it clear that the emails were “fake,” though the organization stresses that they were sent from legitimate “infrastructure that is owned by the FBI/DHS.”

It further notes that the addresses of the recipients were scraped from the American Registry for Internet Numbers database. ARIN is essentially an Internet phone book, except it uses Internet Protocol (IP) addresses instead of phone numbers.

The FBI for its part released a statement early Saturday evening acknowledging the attack but stressing that “[t]he impacted hardware was taken offline quickly upon discovery of the issue.”

The man mentioned in the emails, Vinny Troia, is in fact a well-regarded cybersecurity expert, and this isn’t his first rodeo. Hackers previously came after him last year after he published a book exposing the innerworkings of their operations.

“A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company’s ‘data leak detection’ service. The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches,” ZDNet reported at the time.

“The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.”

Spamhaus believes the latest attack may have been motivated by a desire to assassinate Troia’s character.

As to who orchestrated the attack, Troia believes it’s the mastermind behind the very same hacker group — “the extortion gang TheDarkOverlord” — that the fake emails claimed that he himself was affiliated with.

That mastermind goes by the Twitter alias Pompompurin:

“My best guess is Pompompurin and his band of minions [are behind this incident]. The last time, they hacked the National Center for Missing Children’s site blog and put up a post about me being a pedophile,” he said in a statement to Bleeping Computer.

That wasn’t very nice of them. And indeed, all the current evidence does point to Pompompurin again being the perpetrator, including this:

“‘[P]ompompurin’ contacted Troia a few hours before the spam email campaigns started to simply say ‘enjoy,’ as a warning that something involving the researcher was about to happen. Troia said that ‘pompompurin’ messages him every time they start an attack to discredit the researcher,” according to Bleeping Computer.

Engadget notes that these sorts of feuds between cybersecurity researchers and the hackers they expose is nothing new: “In March, attackers exploiting Microsoft Exchange servers tried to implicate security journalist Brian Krebs using a rogue domain.”

Regarding Troia, he’s popular enough that he’s even made appearances on Newsmax:

What is definitely “rare,” Engadget continues, is hackers using “real domains from a government agency like the FBI as part of their campaign.”

But it’s a double-edged sword, as the FBI is a federal organization that’s not known for its congenial temperament.

“While [this strategy] may be more effective than usual (the FBI was swamped with calls from anxious IT administrators), it might also prompt a particularly swift response — law enforcement won’t take kindly to being a victim,” Engadget notes.

Hopefully, Pompompurin will “enjoy” the newfound attention from America’s leading law enforcement agency …

Vivek Saxena
Latest posts by Vivek Saxena (see all)






Source link

Leave a Reply

Your email address will not be published. Required fields are marked *