not quite an outage, more a hack, "Urgent: Threat actor in systems" emails from FBI infrastructure
not quite an outage, more a hack, but thought it relevant. As always replies to -discussion unless someone sees an official statement from the FBI or other government agencies (I have not seen one yet). I had a bit of an odd one this morning, I received two emails through contacts listed in whois subject: "Urgent: Threat actor in systems" from "eims@ic.fbi.gov". I was all set to ignore them as an odd bit of spam but did a quick check on the headers and was surprised to see it had valid dkim and spf and was from an actual FBI IP, queue real worry starting (as odd and off as the email content was, it's a lot more real when suddenly it's either legit or the FBI got hacked to send the email). Luckily (for some definition of lucky) it looks like it was a case of something being hacked on the FBI's end as calling they immediately knew what I was calling about and said they had dealt with the compromised equipment. Further googling after that call shows a few more reports of this ex. https://twitter.com/spamhaus/status/1459450061696417792 and https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberat... but I'd figured to mention it here so others don't get caught quite as off guard. Best guess I can come up with is it's an attempt to ruin the person mentioned in the email's name and/or promote the name of the mentioned gang. The specifics seem off for trying to get someone swatted given if you thought this was real what local agency would want to storm a federal operation with swat agents, and if you thought this was all fake, then you wouldn't go either. That or create FUD for any other warnings issued and distract from something else going on. Full body of the email: Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group
You should always vet any federal contacts outside of established channels with your FBI liaison before responding. Aaron
On Nov 13, 2021, at 10:34 AM, Glenn McGurrin via Outages <outages@outages.org> wrote:
not quite an outage, more a hack, but thought it relevant. As always replies to -discussion unless someone sees an official statement from the FBI or other government agencies (I have not seen one yet).
I had a bit of an odd one this morning, I received two emails through contacts listed in whois subject: "Urgent: Threat actor in systems" from "eims@ic.fbi.gov". I was all set to ignore them as an odd bit of spam but did a quick check on the headers and was surprised to see it had valid dkim and spf and was from an actual FBI IP, queue real worry starting (as odd and off as the email content was, it's a lot more real when suddenly it's either legit or the FBI got hacked to send the email). Luckily (for some definition of lucky) it looks like it was a case of something being hacked on the FBI's end as calling they immediately knew what I was calling about and said they had dealt with the compromised equipment. Further googling after that call shows a few more reports of this ex. https://twitter.com/spamhaus/status/1459450061696417792 and https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberat... but I'd figured to mention it here so others don't get caught quite as off guard.
Best guess I can come up with is it's an attempt to ruin the person mentioned in the email's name and/or promote the name of the mentioned gang. The specifics seem off for trying to get someone swatted given if you thought this was real what local agency would want to storm a federal operation with swat agents, and if you thought this was all fake, then you wouldn't go either. That or create FUD for any other warnings issued and distract from something else going on.
Full body of the email:
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On 11/13/21 8:11 AM, Glenn McGurrin via Outages wrote:
not quite an outage, more a hack, but thought it relevant. As always
Is anyone besides me now receiving three (or here four) identical posts to the list with identical time stamps? -- John __
----- Original Message -----
From: "John Sage via Outages" <outages@outages.org>
On 11/13/21 8:11 AM, Glenn McGurrin via Outages wrote:
not quite an outage, more a hack, but thought it relevant. As always
Is anyone besides me now receiving three (or here four) identical posts to the list with identical time stamps?
And also identical Message-ID's. We're looking into it. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
FWIW I only got one copy. Definitely not all users. Josh Luthman 24/7 Help Desk: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Nov 13, 2021 at 12:47 PM Jay R. Ashworth via Outages < outages@outages.org> wrote:
----- Original Message -----
From: "John Sage via Outages" <outages@outages.org>
On 11/13/21 8:11 AM, Glenn McGurrin via Outages wrote:
not quite an outage, more a hack, but thought it relevant. As always
Is anyone besides me now receiving three (or here four) identical posts to the list with identical time stamps?
And also identical Message-ID's. We're looking into it.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
participants (5)
-
Aaron Wendel -
Glenn McGurrin -
Jay R. Ashworth -
John Sage -
Josh Luthman