FBI system hacked to send “urgent” alert email about fake cyberattacks

0
13

Federal Bureau of Investigation (FBI) email servers were hacked to deliver spam emails that simulate FBI warnings that recipients’ network was hacked and data stolen.

The emails pretended to warn of a “sophisticated chain attack” by a known advanced threat actor, whom they identify as Vinny Troia. Troy is the head of security research for dark web intelligence firms NightLion and Shadowbyte

The nonprofit SpamHaus spam monitoring organization noted that tens of thousands of these messages were delivered in two waves early this morning. They believe this is only a small part of the campaign.

The legitimate address provides false content

Researchers at the Spamhaus project, an international nonprofit that tracks spam and associated cyber threats (phishing, botnets, malware), observed two waves of this campaign, one at 5am (UTC) and a second two hours later.

The messages came from a legitimate email address – [email protected] – which comes from the FBI Law Enforcement Corporate Portal (LEEP), and carried the item “Urgent: Threat actor in systems. “

All emails came from the FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov), Spamhaus told us.

Fake cyber attack alert from legitimate FBI email address

The message warns that a threat actor has been detected in the recipient network and has stolen data from the devices.

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.


Stay safe,

U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group

Spamhaus Project told Bleeping Computer that the fake emails have reached at least 100,000 mailboxes. The number is a very conservative estimate, however, as researchers believe “the campaign was potentially much, much bigger.”

In a tweet today, the nonprofit said recipients were deleted from the American Registry for Internet Numbers (ARIN) Database.

While this sounds like a joke, there is no doubt that the emails come from the FBI’s servers as the message headers show that its origin is verified by the DomainKeys Identified Mail (DKIM) mechanism.

Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo=mx-east.fbi.gov)
envelope-from 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=fbi.gov; s=cjis; t=1636779463; x=1668315463;
  h=date:from:to:message-id:subject:mime-version;
  bh=UlyBPHe3aElw3Vfnk/pqYLsBAoJGDFR1NyZFcSfpl5g=;
  b=N3YzXzJEbQCTJGh8qqjkYu/A5DTE7yoloPgO0r84N+Bm2ae6f+SxzsEq
   nbjnF2hC0WtiVIMMUVGzxWSiZjq1flEygQGI/JVjjk/tgVVPO5BcX4Os4
   vIeg2pT+r/TLTgq4XZDIfGXa0wLKRAi8+e/Qtcc0qYNuTINJDuVxkGNUD
   62DNKYw5uq/YHyxw+nl4XQwUNmQCcT5SIhebDEODaZq2oVHJeO5shrN42
   urRJ40Pt9EGcRuzNoimtUtDYfiz3Ddf6vkFF8YTBZr5pWDJ6v22oy4mNK
   F8HINSI9+7LPX/5Td1y7uErbGvgAya5MId02w9r/p3GsHJgSFalgIn+uY
   Q==;
   X-IronPort-AV: E=McAfee;i="6200,9189,10166"; a="4964109"
   X-IronPort-AV: E=Sophos;i="5.87,231,1631577600"; 
   d="scan'208";a="4964109"
Received: from dap00025.str0.eims.cjis ([10.67.35.50])
  by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 04:57:41 
+0000
Received: from dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72])
	by dap00025.str0.eims.cjis (8.14.4/8.13.8) with ESMTP id 1AD4vf5M029322
	for ; Fri, 12 Nov 2021 23:57:41 -0500
Date: Fri, 12 Nov 2021 23:57:41 -0500 (EST)
From: [email protected]



v=DMARC1; p=reject; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected]; pct=100

The headers also show the following internal FBI servers that processed the emails:

  • dap00025.str0.eims.cjis
  • wvadc-dmz-pmo003-fbi.enet.cjis
  • dap00040.str0.eims.cjis

The FBI confirmed that the contents of the emails are fake and that they were working to fix the problem as their helpdesk is inundated with calls from concerned administrators.

In a statement to BleepingComputer, the FBI said it could not share any further information due to the ongoing situation.

“The FBI and CISA are aware of this morning’s incident involving fake emails from an @ ic.fbi.gov email account. This is an ongoing situation and we are unable to provide further information. information right now. We continue to encourage the public to pay attention to unknown senders and to urge them to report suspicious activity to www.ic3.gov or www.cisa.gov. “-FBI.

Aimed at discrediting the security researcher

Whoever is behind this campaign was likely motivated to discredit Vinny Troia, the founder of the dark web intelligence firm Shadowbyte, who is listed in the message as the threat actor responsible for the fake supply chain attack.

Members of the RaidForums hacking community have a longstanding feud with Troy and commonly deface websites and perform small hacks where they blame the security researcher.

Tweeting about this spam campaign, Vinny Troia suggested to someone known as “pompomorin, “As the likely perpetrator of the attack. Troy states that the individual has been associated in the past with incidents aimed at damaging the reputation of the security researcher.

Speaking with BleepingComputer, Troy said “my best guess is ‘pompomourin’ and his gang of minions. [are behind this incident]. “

“The last time that [pompompurin] hacked the National Center for Missing Children’s Site Blog and posted a post about me being a pedophile “- Vinny Troia

This hypothesis is further supported by the fact that “pompompurin” contacted Troy a few hours before the spam email campaigns began to simply say “have fun”, as a warning that something involving the researcher was about to happen.

Troy said “pompompurin” sends him messages every time they start an attack to discredit the researcher.

Update 11/13/21: Added FBI statement.

LEAVE A REPLY

Please enter your comment!
Please enter your name here