Mail server

FBI Mail Server Hacked to Send Fake Cyber ​​Attack Alerts

An attacker exploited system misconfiguration to send legitimate-looking cybersecurity alerts to partners

Pro

Image: Shutterstock via Dennis


The Federal Bureau of Investigation (FBI) has confirmed that a hacker exploited its systems to send fake emails to law enforcement partners alerting them to an alleged cyberattack.

The hacker exploited a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) web application to send out legitimate-looking alerts to partners warning them that they had suffered a cyberattack and that a threat actor was currently in their system.

Emails were sent to the partners from an official FBI email account with an @ic.fbi.gov domain, the headers of which also appeared legitimate after being cleaned.

advertising

The hacker falsely informed recipients that he had been the victim of a “sophisticated chain attack” attributed to Vinny Troia, a renowned security researcher and frequent subject of memes in the cybersecurity industry.

Troia dismissed his involvement in the attack shortly after its discovery.

The FBI confirmed that the threat actor was unable to access or compromise sensitive data held by the FBI, and said the server used to send the fake emails was only used to send notifications for LEEP rather than being logged into the FBI corporate email. mail service.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” it said. he said on Saturday. “LEEP is the FBI’s IT infrastructure used to communicate with our state and local law enforcement partners.

“While the illegitimate email came from a server operated by the FBI, this server was dedicated to sending notifications for LEEP and was not part of the FBI’s corporate email service. No actor could access or compromise data or personal information on the FBI network.Once we learned of the incident, we quickly patched the software vulnerability, warned our partners to ignore the fake emails, and confirmed the integrity of our networks.

Spamhaus researchers have drawn attention to first reports fake emails on Saturday, claiming the recipients were chosen at random and the email addresses were pulled from an ARIN database.

ARIN is a regional Internet registry responsible for the management and distribution of Internet number resources such as Internet Protocol (IP) addresses and Autonomous System Numbers (ASNs).

Security researchers said they contacted the FBI at the time of the incident, saying staff were “slammed” by calls from alarmed recipients trying to verify whether the correspondence was legitimate or not.

A hacker known as Pompompurin claimed responsibility for the attack in an interview with security researcher Brian Krebs. They said they wanted to draw attention to the LEEP web application security vulnerability.

Pompompurin said LEEP allows anyone to request an account, though it is restricted to FBI law enforcement partners only. Account authentication was also performed via a one-time passcode emailed to the requester – a code that the FBI website disclosed in the HTML of its webpage.

When users requested a confirmation code, they received a POST request that included parameters for the subject and body content of the email. Pompompurin replaced parameters with its own email subject and body to automate thousands of email sends.

Experts have suggested that the level of access Popompurin has been able to achieve is concerning and that a broader attack campaign could have been launched to compromise law enforcement partners across the United States.

“The hack could have allowed an attacker to distribute a phishing email campaign to all of the FBI’s local and state law enforcement partners – a campaign designed to compromise law enforcement at across the United States,” said Alan Calder, CEO of GRC International Group.

© Dennis Publishing


Professional development for IT professionals

The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. ICS membership typically reduces tuition by 20%. Learn more


Read more: FBI security cybersecurity