The Federal Bureau of Investigation (FBI) confirmed on Saturday that a hacker exploited its systems to send fake emails to law enforcement partners alerting them to a supposed cyber attack.
The hacker exploited a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) web app to send legitimate-looking alerts to partners warning them that they had suffered a cyber attack and that a threat actor was currently in their system.
Emails were sent to partners from an official FBI email account with an @ic.fbi.gov domain, the headers of which also appeared to be legitimate after being sanitised.
The hacker falsely informed recipients they had fallen victim to a "sophisticated chain attack" attributed to Vinny Troia, a reputable security researcher and oft subject of memes in the cyber security industry.
Troia rejected his involvement in the attack shortly after its discovery.
The FBI confirmed the threat actor was unable to access or compromise any sensitive data held by the FBI, and said the server used to send the false emails was used only to push notifications for LEEP rather than being connected to the FBI's corporate email service.
"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails," it said on Saturday. "LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.
"While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
Researchers at Spamhaus drew attention to the early reports of fake emails on Saturday, saying the recipients were chosen indiscriminately and email addresses were scraped from an ARIN database.
ARIN is a regional internet registry responsible for the management and distribution of internet number resources such as internet protocol (IP) addresses and autonomous system numbers (ASNs).
The email sent to recipients appeared as follows:
Spamhaus said its telemetry indicated two 'waves' of spam emails being sent, one just before 05:00 on Saturday and then another shortly after 07:00.
Security researchers reported having contacted the FBI at the time of the incident said the staff were "slammed" with calls from alarmed recipients trying to verify if the correspondence was legitimate or not.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
A hacker known by the alias Pompompurin claimed responsibility for the attack in an interview with security researcher Brian Krebs. They said they wanted to draw attention to the security vulnerability in the LEEP web app.
Pompompurin said LEEP allowed anyone to apply for an account, despite it being reserved only for law enforcement partners of the FBI. Account authentication was also run through a one-time passcode emailed to the applicant - a code which the FBI's website leaked in the HTML code of its web page.
When users requested a confirmation code, they were sent a POST request which included parameters for the email subject and body content. Pompompurin replaced the parameters with his own email subject and body to automate thousands of email sends.
Experts have suggested that the level access Popompurin was able to achieve was worrying and that a wider attack campaign could have bene launched to compromise law enforcement partners across the US.
"The hack could have enabled an attacker to disperse a phishing email campaign to all the FBI’s state and local law enforcement partners - one that was designed to compromise US-wide law enforcement," said Alan Calder, CEO at GRC International Group.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
