Misconfigured FBI Email System Leads to Hoax Campaign | #emailsecurity | #phishing | #ransomware


Access Management
,
Critical Infrastructure Security
,
Endpoint Security

Threat Actor Sends 100,000 Emails Falsely Warning of a Cyberattack

The FBI says on Sunday it has remediated a software misconfiguration that was abused to send fake emails falsely warning of a cyberattack that used the FBI’s legitimate domain.

See Also: Live Webinar | Enforcing Least Privilege Access in AWS Cloud Infrastructure with CIEM


As many as 100,000 hoax emails were sent in two waves early Saturday morning that purported to come from the FBI and the Department of Homeland Security, according to the spam watchdog group Spamhaus Project.

Spamhaus said while the emails were sent from FBI- and DHS-owned infrastructure, the emails were indeed fake. The emails came from the address “eims@ic.fbi.gov.”


The FBI said the misconfiguration involved the Law Enforcement Enterprise Portal (LEEP). The LEEP is an expansive platform that allows state, local and federal agencies to share information, including sensitive documents. It also has a Virtual Command Center, which allows agencies to share real-time information about events such as shootings and child abductions.


Although the email server that was abused is operated by the FBI, it is not part of the agency’s corporate email service, the agency says in an updated statement on Sunday. No classified systems were involved.


“No actor was able to access or compromise any data or PII on the FBI’s network,” the FBI says. “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”


‘Threat Actor in Systems’


Spamhaus posted a screenshot of the email’s text, which warned of a potential exfiltration of data. The bogus emails attempted to pin the activity on security researcher Vinny Troia, who is the founder of the darknet intelligence companies NightLion and Shadowbyte.

Troia is frequently the target of opprobrium for his security research on hacking forums such as Raid, and he is often falsely blamed for attacks.


According to computer security writer Brian Krebs, a threat actor who goes by the Twitter nickname Pompompurin is claiming credit for the incident.


Pompompurin told Krebs the LEEP portal leaked a confirmation code when someone registered with the portal. The confirmation code was sent via a POST request, which he could edit, including the email subject and body content. Pompompurin says he was subsequently able to script a mass email campaign.


Many of those email addresses that received the fake messages appear to have been scraped from a public database belonging American Registry for Internet Numbers (ARIN), which manages IP addresses and network allocations within North America and parts of the Caribbean, Spamhaus tweeted.


Executive Editor Jeremy Kirk contributed to this report.





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

66 − sixty five =