Just to prove that no one is safe from hackers, last Saturday the US Federal Bureau of Investigation (FBI) confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake “sophisticated chain attack”.
This incident, which was first publicly disclosed by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line “Urgent: Threat actor in systems” originating from a legitimate FBI email address “eims@ic.fbi[.]gov” that framed the cyberattack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord.
To summarise these hackers managed to hack into the FBI email servers using and account owned by a well known cybersecurity expert only because he supposedly “dissed” them in his book.
Another cybersecurity expert and former journalist for the Washington Post – Brian Krebs (of Krebs on Security), also received a private message from the hackers, detailed in an independent report that the “spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities”.
Pompompurin, as the hacker’s alias online, told Krebs that the breach was carried out by taking advantage of a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP) that not only allowed any individual to apply for an account, but also leaked the one-time password that’s sent to the applicant to confirm their registration, effectively enabling them to intercept and tamper the HTTP requests with their own phony message to thousands of email addresses.
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” the agency said in a statement.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”
Investigations continue although no harm seems to have been done, but in my opinion it is in the authorities best interests to discourage such activity.
Imagine if someone broke into your house just to prove that your security was not up to standard. You’d still insist the police arrest them and put them in jail or heavily fine them or both! No harm being done is still not an excuse for breaking the law – maybe some grounds for mitigation, but I’m encroaching into the lawyers’ area of expertise here.
In other recent developments, recently Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020.
Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware, especially the potential financial benefits. Particularly in the case of North Korea whose state-sponsored groups have already illegally collected at least $US50 million ($F105m) in ransomware payouts in the last couple of years.
Microsoft said Iranian hacking groups are using ransomware to either collect funds or disrupt their targets, and are “patient and persistent” while engaging with their targets although they will use aggressive brute-force attacks.
The most consistent of the six Iranian threat groups is one Microsoft tracks as Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for the past two years. While initially known for cyber espionage, Microsoft details the group’s strategies for deploying ransomware on targeted networks, often using Microsoft’s Windows disk-encryption tool BitLocker to encrypt victim files.
Other cybersecurity firms last year detected a rise in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware.
According to Microsoft, Phosphorus was also targeting unpatched on-premise Exchange servers and Fortinet’s FortiOS SSL VPN in order to deploy ransomware.
In the second half of 2021, the group started scanning for the four Exchange flaws known as ProxyShell that were initially exploited as zero days by Beijing-backed hackers earlier this year.
An account by security specialist DFIR Report notes Phosphorus used BitLocker on servers and DiskCryptor on PCs. Their activity stood out because it didn’t rely on ransomware-as-a-service offerings that are popular among cyber criminals and didn’t create custom encryptors instead using Microsoft’s own BitLocker program.
Their standard modus operandi is after compromising the initial server (through vulnerable VPN or Exchange Server), the cyberattackers moved laterally to a different system on the victim’s network to gain access to higher value resources. This was tracked by Microsoft’s Threat Detection Centre.
From there, the cyberattackers deployed a script to encrypt the drives on multiple systems using BitLocker then the victims were instructed to reach out to a specific Telegram page to pay for the decryption key. As always and as highlighted by vendors, please do keep your servers and applications up to date with patches to prevent cyber attacks like this being successful.
As outlined in an earlier article this year, the Iranian state sponsored group also tries to steal credentials by sending “interview requests” to targeted individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, the attackers send a link to a list of interview questions and then a link to a fake Google Meeting, which would steal login details.
Other groups mentioned in Microsoft’s report included an emerging Iranian hacking group that recently targeted Israel and US organisations in the Persian Gulf with password-spraying attacks.
Microsoft highlights that the adoption of ransomware aided the Iranian hackers’ efforts in espionage, disruption and destruction, and to support physical operations. Their arsenal of attacks included ransomware, disk wipers, mobile malware, phishing, password-spray attacks, mass exploitation of vulnerabilities, and supply chain attacks.
Possibly in retaliation, a massive cyber attack in Iran late last month left petrol stations across the country crippled, disrupting fuel sales and defacing electronic billboards to display messages challenging the regime’s ability to distribute gasoline.
Posts and videos circulated on social media showed messages that said, “Khamenei! Where is our gas?” a reference to the country’s supreme leader Ayatollah Ali Khamenei. Other signs read, “Free gas in Jamaran gas station,” with gas pumps showing the words “cyberattack 64411” when attempting to purchase fuel, semi-official Iranian Students’ News Agency (ISNA) news agency reported.
While there is suspicion that the cyber attack was “probably” state-sponsored Iranian investigators said it was too early to determine which country carried out the intrusions.
Although no country or group has so far claimed responsibility for the incident, the attacks mark the second time digital billboards have been altered to display similar messaging.
In July 2021, Iranian Railways and the Ministry of Roads and Urban Development systems became the subject of targeted cyber attacks, displaying alerts about train delays and cancellations and urging passengers to call the phone number 64411 for further information. It’s worth noting that the phone number belongs to the office of Ali Khamenei that supposedly handles questions about Islamic law.
The cybersecurity firm Check Point later attributed the train attack to a “regime opposition” threat actor that self-identifies as “Indra” – referring to the Hindu god of lightning, thunder, and war – and is believed to have ties to hacktivist and other cybercriminal groups, in addition to linking the malware to prior attacks targeting Syrian petroleum companies in early 2020.
While most cyber attacks against critical infrastructure are suspected to be the work of other nation states, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc, and harming critical infrastructure in order to make a statement. In fact it is my opinion that nation states would tend to keep their cybersecurity breaches secret and use it in the event of actual war or as a bargaining chip in negotiations at state level. And so in cyberspace these subtle and sometimes not-so-subtle conflicts continue perhaps reflecting the real world in many ways, but with global reach, sophisticated tools and advanced technologies.
As ancient Chinese general, strategist and philosopher Sun Tzu succinctly puts it: “In battle, there are not more than two methods of attack – the direct and the indirect – yet these two in combination give rise to an endless series of maneuvers.” As always, God bless and stay safe in both digital and physical worlds.
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
