Posted on November 15, 2021 at 6:21 PM
The U.S. Federal Bureau of Investigation (FBI) confirmed that announced that an unknown group of threat actors infiltrated one of its email servers to send out fake messages about a sophisticated chain attack.
According to the FBI, the threat actors send the fake warning email with the subject line, “Urgent: Threat actor in the system”.
The emails seemed to come from legitimate FBI email addresses, which could easily convince the recipient.
The hackers sent out thousands of fake messages that informed the recipients that they have become victims of the sophisticated attacks. The Spamhaus Project, an organization that investigates email spammers, first discovered the phony email campaign.
The emails falsely claim that Vinny Troia is responsible for the cyberattack and that The Dark Overlord is linked with the hacking group. However, the claims are all false, considering that Troia is a famous cybersecurity researcher who operates two dark web security firms, Shadowbyte and NightLion.
The Fake Emails Were Sent To Over 10,000 Addresses
Bleeping Computer stated that the threat actors have already sent out fake notifications to more than 10,000 addresses. The email addresses were scraped from the American Registry for Internet Numbers.
The report also reveals that the threat actors utilized the FBI’s public-facing email system.
According to security researcher, Kevin Beaumont, the email from the threat actors seems to be coming from the FBI’s servers since the headers are authenticated with the FBI’s DKIM process.
The FBI Has Taken The Affected Hardware Offline
In response to the incident, the FBI announced in a press release stating that the matter is still ongoing and it is currently investigating the situation.
The FBI also noted that the affected hardware has been taken offline to prevent further damages. However, no further information was shared about the incident.
An Attempt To Defame Troia
Bleeping Computer stated that the spamming activity may have been carried out deliberately to damage Troia’s reputation. Troia stated, in a tweet, that the threat actor responsible for the defamatory action could be “Pompompurin”. The hacker has previously attempted to damage Troia’s reputation in the same way.
Cybersecurity researcher Brian Krebs also stated that the threat actors are likely responsible for the action. He stated that Pompompurin send him an email from an FBI email address when the attack was launched.
Brian says the threat actor sent him a message that reads, “Hi it’s pompompurin. Check headers of this email it’s actually coming from the FBI server.”
The researcher added that he even spoke with pompompurin who told him that the attack was meant to highly the security flaws in the FBI servers.
The individual also told Brian that they exploited a security flaw on the FBI’s Law Enforcement Enterprise (LEEP) and used a one-time password to sign up an account. Pompompurin claims that after signing in to the account, they were able to manipulate the body of the email and the sender’s address, and executed the massive spam message.
The FBI Says No Exploit Was Recorded
Although the legitimate email came from an FBI-operated server, it was specially crafted to push notification for LEEP and wasn’t meant for the FBI’s corporate email service, the researcher said.
However, despite the flaw, no actor was able to compromise or access any PII or data on the FBI’s network.
It’s also an indication that threat actors are always looking for flaws from servers, including those from security agencies. Last week, Joe Biden’s administration gave a mandate on a vulnerability patch on the servers of vulnerable civilian agencies. And in May, Biden passed an executive order to improve the country’s defenses against cybersecurity threats. The executive order came after the attacks on SolarWinds and Colonial Pipeline.
The Vulnerable Servers Could Have Been Weaponized
Cybersecurity researcher Austin Berglas, formerly of FBI’s New York Officer cyber branch, also commented on the incident. He stated that the level of access could have led to a much worse attack than the false email alert.
Austin noted that a real hacker with such access to a dot-gov account can lead to more serious attacks. Such an account can be weaponized and utilized for very serious hacking activity. “The FBI probably dodged a bullet,” Austin added.
According to the Washington Post, security experts believe that since the email did not include any malicious attachment, it could mean that the threat actors accidentally stumbled upon the bugs and had no plans to exploit them.