FBI system hacked to email ‘urgent’ warning about fake cyberattacks

The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients’ network was breached and data was stolen.

The emails pretended to warn about a “sophisticated chain attack” from an advanced threat actor known, who they identify as Vinny Troia. Troia is the head of security research of the dark web intelligence companies NightLion and Shadowbyte

The spam-tracking nonprofit SpamHaus noticed that tens of thousands of these messages were delivered in two waves early this morning. They believe this is just a small part of the campaign.

Legitimate address delivers fake content

Researchers at the Spamhaus Project, an international nonprofit that tracks spam and associated cyber threats (phishing, botnets, malware), observed two waves of this campaign, one at 5 AM (UTC) and a second one two hours later.

The messages came from a legitimate email address – [email protected] – which is from FBI’s Law Enforcement Enterprise Portal (LEEP), and carried the subject “Urgent: Threat actor in systems.”

All emails came from the FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov), Spamhaus told us.

Fake cyber attack alert from legit FBI email address

The message warns that a threat actor has been detected in the recipients’ network and has stolen data from devices.

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.


Stay safe,

U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group

Spamhaus Project told BleepingComputer that the fake emails reached at least 100,000 mailboxes. The number is a very conservative estimate, though, as the researchers believe “the campaign was potentially much, much larger.”

In a tweet today, the nonprofit said that the recipients were scraped from the American Registry for Internet Numbers (ARIN) database.

While this looks like a prank, there is no doubt that the emails originate from the FBI’s servers as the headers of the message show that its origin is verified by the DomainKeys Identified Mail (DKIM) mechanism.

Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo=mx-east.fbi.gov)
envelope-from 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=fbi.gov; s=cjis; t=1636779463; x=1668315463;
  h=date:from:to:message-id:subject:mime-version;
  bh=UlyBPHe3aElw3Vfnk/pqYLsBAoJGDFR1NyZFcSfpl5g=;
  b=N3YzXzJEbQCTJGh8qqjkYu/A5DTE7yoloPgO0r84N+Bm2ae6f+SxzsEq
   nbjnF2hC0WtiVIMMUVGzxWSiZjq1flEygQGI/JVjjk/tgVVPO5BcX4Os4
   vIeg2pT+r/TLTgq4XZDIfGXa0wLKRAi8+e/Qtcc0qYNuTINJDuVxkGNUD
   62DNKYw5uq/YHyxw+nl4XQwUNmQCcT5SIhebDEODaZq2oVHJeO5shrN42
   urRJ40Pt9EGcRuzNoimtUtDYfiz3Ddf6vkFF8YTBZr5pWDJ6v22oy4mNK
   F8HINSI9+7LPX/5Td1y7uErbGvgAya5MId02w9r/p3GsHJgSFalgIn+uY
   Q==;
   X-IronPort-AV: E=McAfee;i="6200,9189,10166"; a="4964109"
   X-IronPort-AV: E=Sophos;i="5.87,231,1631577600"; 
   d="scan'208";a="4964109"
Received: from dap00025.str0.eims.cjis ([10.67.35.50])
  by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 04:57:41 
+0000
Received: from dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72])
	by dap00025.str0.eims.cjis (8.14.4/8.13.8) with ESMTP id 1AD4vf5M029322
	for ; Fri, 
Read More... Read More

FBI raids Chinese sales equipment supplier: report

U.S. federal investigators raided the Florida offices of a Chinese point-of-sale device provider that reportedly facilitated cyberattacks on American and European entities. 

This week FBI agents descended on the Jacksonville offices of Shenzhen, China-based PAX Technology, which provides point of sale (POS) hardware and software to companies worldwide. 

POS systems are used everywhere from big box retailers to gas stations to coffee shops for processing customer payments.   

The seal of the Federal Bureau of Investigation hangs on the outside of the bureau’s Edgar J. Hoover Building in May 2017 in Washington, D.C. Recently, the FBI raided the Florida offices of a Chinese sales equipment supplier. (Chip Somodevilla/Getty Images / Getty Images)

US RELIES ON CHINA FOR TOO MANY THINGS: REP. WENSTRUP 

The news was originally reported by WOKV, a local Jacksonville news outlet.  

Cybersecurity news site KrebsOnSecurity said the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and EU organizations. 

Recently, the FBI raided the offices of a Chinese sales equipment supplier, PAX Technology, which a cybersecurity news site reported may have been involved in cyberattacks.  (Jakub Porzycki/NurPhoto via Getty Images / Getty Images)

The FBI began investigating PAX “after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals,” KrebsOnSecurity said, based on information from a “trusted source.” 

“The payment processor found that the PAX terminals were being used both as a malware ‘dropper’ — a repository for malicious files — and as ‘command-and-control’ locations for staging attacks and collecting information,” the cybersecurity news site said. 

CLICK HERE TO READ MORE ON FOX BUSINESS 

The FBI Jacksonville Office provided a statement about the recent raid of the Florida offices of a Chinese sales equipment supplier. (Google Maps)

The FBI Jacksonville office provided the following statement to FOX Business: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, executed a court-authorized search in furtherance of a federal investigation (Tuesday, 10/26). The investigation remains active and ongoing and no additional information can be confirmed at this time.”

The FBI is providing no more information other than saying it conducted searches of three facilities in Jacksonville, according to Amanda Videll, public affairs officer at FBI Jacksonville. 

“On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation,” a PAX Technology spokesperson told FOX Business. 

“PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation,” the spokesperson said, adding that the company is “aware of media reports regarding the security of PAX Technology’s devices and services [and] PAX Technology

Read More... Read More