FBI spams thousands with fake infosec advice after 'software misconfiguration'

Looks like feuding hackers wanted to expose Feds' failings as a public service. We want to believe


The FBI has admitted that a software misconfiguration let parties unknown send legit-looking email from its servers.

A statement from the bureau, dated November 14, states the agency "is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails."

Spam-tracking service Spamhaus tweeted about the incident on November 13.

The mails contained a warning that FBI monitoring had detected "exfiltration of several of your virtualized clusters in a sophisticated chain attack" perpetrated by a chap named Vinny Troia, the founder of infosec firms named Shadow Byte Cyber and Night Lion Security.

There is no indication Troia had anything to do with the incident and The Register makes no suggestion he was in any way involved. However, an entity using the name and Twitter handle "@pompompur_in" appears to have told Krebs on Security they were behind the incident.

"I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc.," Pompompurin told Krebs. "And this would've never been found by anyone who would responsibly disclose, due to the notice the feds have on their website."

Troia also appears to have attributed the incident to @pompompur_in.

For what it's worth, @pompompur_in's Twitter profile states it also operates a private account on the service with the handle @seds. The profile for that account reads: "Call me vinny troia the way I be selling DBs." Other @pompompur_in posts suggest bad blood between whoever operates the account and Troia.

Whoever was behind the attack, the FBI has admitted it was real and that a server it operates was used to send the mails. Another Spamhaus Tweet suggests that whoever got in was able to use the FBI server to send two spurts of mail, with around 100,000 messages making it out.

The server in question was part of LEEP, which the FBI describes as "a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities [that] provides web-based investigative tools and analytical resources" for other law enforcement agencies.

"Users collaborate in a secure environment, use tools to strengthen their cases, and share departmental documents." Or at least that's what they do when they're not trying to figure out what "exfiltration of several of your virtualized clusters in a sophisticated chain attack" means.

But we digress.

The FBI explains that the server was "dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service", and that no data or personally identifiable information was accessed.

"Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."

Unusually, the FBI's posts don't mention an investigation into the incident. Perhaps the Bureau's waiting for the weekend to end before trying to track down @pompompur_in. ®

Similar topics


Other stories you might like

  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022