FBI System Hijacked to Email ‘Immediate’ Alert About Fake Cyberattacks

The Federal Bureau of Investigations (FBI) email servers were hijacked to administer spam email impersonating FBI warnings that the receivers’ network was stealing and the information was stolen.

The spam-tracking nonprofit SpamHaus alerted that tens of thousands of these messages were delivered in two waves early this morning. They also believe is just a small part of the operations.

Appropriate Address Delivers Fake Content 

Security Investigators observed two waves of this operation, one at 5 AM (UTC) and a second one-two hour later. The message came from an appropriate email address [email protected] – which is in the form of FBI’s Law Enforcement Portal (LEEP), and carried the subject “Urgent: Threat actor in systems.”

All emails came from the FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov), security researchers told us.

FBI-System-Hijacked-to-Email-‘Immediate’-Alert-About-Fake-Cyberattacks-image1

The message alerts that an attacker has been analyzed in the receiver’s network and has hijacked information from devices.

“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fast-flux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, who is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under the inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.

Stay safe,

U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group”

Spamhaus Project told our experts that the fraudulent emails reached at least 100,000 mailboxes. The number is a very traditional estimate, though, as the investigators believe “the operation was probably much, much larger.”

In a tweet today, the nonprofit said that the recipients were scraped from the American Registry for Internet Numbers (ARIN) database. While this looks like a prank, there is no doubt that the emails originate from the FBI’s servers as the headers of the message show that its origin is verified by the DomainKeys discovered Mail (DKIM) mechanism.

“Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo=mx-east.fbi.gov)

envelope-from

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=fbi.gov; s=cjis; t=1636779463; x=1668315463; 

h=date:from:to:message-id:subject:mime-version; 

bh=UlyBPHe3aElw3Vfnk/pqYLsBAoJGDFR1NyZFcSfpl5g=; 

b=N3YzXzJEbQCTJGh8qqjkYu/A5DTE7yoloPgO0r84N+Bm2ae6f+SxzsEq nbjnF2hC0WtiVIMMUVGzxWSiZjq1flEygQGI/JVjjk/tgVVPO5BcX4Os4  

vIeg2pT+r/TLTgq4XZDIfGXa0wLKRAi8+e/Qtcc0qYNuTINJDuVxkGNUD  

62DNKYw5uq/YHyxw+nl4XQwUNmQCcT5SIhebDEODaZq2oVHJeO5shrN42  

urRJ40Pt9EGcRuzNoimtUtDYfiz3Ddf6vkFF8YTBZr5pWDJ6v22oy4mNK  

F8HINSI9+7LPX/5Td1y7uErbGvgAya5MId02w9r/p3GsHJgSFalgIn+uY

   Q==;

   X-IronPort-AV: E=McAfee;i=”6200,9189,10166″; a=”4964109″

   X-IronPort-AV: E=Sophos;i=”5.87,231,1631577600″;  

d=”scan’208″;a=”4964109″

Received: from dap00025.str0.eims.cjis ([10.67.35.50])

  by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 04:57:41

+0000

Received: from dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72])

               by dap00025.str0.eims.cjis (8.14.4/8.13.8) with ESMTP id 1AD4vf5M029322

for ; Fri, 12 Nov 2021 23:57:41 -0500

Date: Fri, 12 Nov 2021 23:57:41 -0500 (EST)

From: [email protected]

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]; pct=100”

The headers also display the following FBI internal servers that processed the emails:

  • dap00025.str0.eims.cjis
  • wvadc-dmz-pmo003-fbi.enet.cjis
  • dap00040.str0.eims.cjis

The FBI accepted that the content of the email is fraudulent and that they were working on resolving the issue as their helpdesk is flooded with calls from bothered administrators. In a statement to our experts, the FBI said that they could not share more data due to being an ongoing situation.

“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation and we are not able to provide any additional information at this time. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov.” – FBI.

In a second statement sent to our experts, the FBI explained that the threat actor behind the spam campaign took advantage of a software configuration to send out the emails. While the messages went out from a server managed by the FBI, the machine was isolated from the agency’s corporate email and did not offer access to any data or personally identifiable information on the FBI’s network.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks” – FBI

According to the technical information seized by researcher broadcaster Brian Krebs from the individual behind the campaign, the LEEP portal allowed anyone to apply for an account. The registration process required filling in contact information.

“A critical step in that process says applicants will receive an email confirmation from [email protected] with a one-time passcode,” Krebs wrote on Saturday. This code and the applicant’s contact details leaked in the web page’s HTML code.

FBI-System-Hijacked-to-Email-‘Immediate’-Alert-About-Fake-Cyberattacks-image2

Using a script, the actor could change the parameters with an email subject and body of their choice, and automate the sending of the messages.

FBI-System-Hijacked-to-Email-‘Immediate’-Alert-About-Fake-Cyberattacks-image3

Proposed to defame Security Investigators

Whoever is behind this operation was likely prompted to undermine Vinny Troia, the author of dark web intelligence company Shadowbyte, who is named in the message as the threat actor responsible for the fake supply-chain attack.

Members of the RaidForums hacking community have a long-standing feud with Troia, and commonly deface websites and perform minor hacks where they blame it on the security researcher.

Tweeting about this spam campaign, Vinny Troia hinted at someone known as “pompomourin,” as the likely author of the attack. Troia says the individual has been associated in the past with incidents aimed at undermining the security researcher’s reputation.

Speaking to our experts, Troia said that “my best guess is ‘pompompurin’ and his bands of minions are behind this incident.” “The last time they pompompurin hacked the national center for missing children’s website blog and put up a post about me being a pedophile” – Vinny Troia

This assumption is further supported by the fact that ‘pompompurin’ contacted Troia a few hours before the spam email campaigns started to simply say “enjoy,” as a warning that something involving the researcher was about to happen. Troia said that ‘pompompurin’ messages him every time they start an attack to discredit the researcher.

Leave a Reply