The FBI has admitted that a software misconfiguration let parties unknown send legit-looking email from its servers.
A statement from the bureau, dated November 14, states the agency "is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails."
Spam-tracking service Spamhaus tweeted about the incident on November 13.
We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.— Spamhaus (@spamhaus) November 13, 2021
The mails contained a warning that FBI monitoring had detected "exfiltration of several of your virtualized clusters in a sophisticated chain attack" perpetrated by a chap named Vinny Troia, the founder of infosec firms named Shadow Byte Cyber and Night Lion Security.
There is no indication Troia had anything to do with the incident and The Register makes no suggestion he was in any way involved. However, an entity using the name and Twitter handle "@pompompur_in" appears to have told Krebs on Security they were behind the incident.
"I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc.," Pompompurin told Krebs. "And this would've never been found by anyone who would responsibly disclose, due to the notice the feds have on their website."
Troia also appears to have attributed the incident to @pompompur_in.
For what it's worth, @pompompur_in's Twitter profile states it also operates a private account on the service with the handle @seds. The profile for that account reads: "Call me vinny troia the way I be selling DBs." Other @pompompur_in posts suggest bad blood between whoever operates the account and Troia.
Whoever was behind the attack, the FBI has admitted it was real and that a server it operates was used to send the mails. Another Spamhaus Tweet suggests that whoever got in was able to use the FBI server to send two spurts of mail, with around 100,000 messages making it out.
The following chart shows email traffic originating from the FBI mailserver (https://t.co/En06mMbR88 | 188.8.131.52) involved. You can clearly see the two spikes caused by the fake warning last night. Timestamps are in UTC. pic.twitter.com/vPKvzv74gW— Spamhaus (@spamhaus) November 13, 2021
The server in question was part of LEEP, which the FBI describes as "a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities [that] provides web-based investigative tools and analytical resources" for other law enforcement agencies.
"Users collaborate in a secure environment, use tools to strengthen their cases, and share departmental documents." Or at least that's what they do when they're not trying to figure out what "exfiltration of several of your virtualized clusters in a sophisticated chain attack" means.
- Warehouse belonging to Chinese payment terminal manufacturer raided by FBI
- Ukrainian cuffed, faces extradition to US for allegedly orchestrating Kaseya ransomware infection
- US nuke sub plans leaked on SD card hidden in peanut butter sandwich, claims FBI
But we digress.
The FBI explains that the server was "dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service", and that no data or personally identifiable information was accessed.
"Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
Unusually, the FBI's posts don't mention an investigation into the incident. Perhaps the Bureau's waiting for the weekend to end before trying to track down @pompompur_in. ®