Over the weekend (Saturday, November 13, 2021), Omega Systems’ SOC specialists investigated a threatening “.gov” email sent to one of our customers. Our customer was just one of among tens of thousands who received the email, warning recipients of an FBI breached cyberattack. Our team determined the email originated from a legitimate source and continued investigating immediately. Using our SIEM tool, Omega’s SOC team found no anomalous behavior on the customer’s side, however deployed EDR to verify our assumptions. During our internal evaluation, the U.S. Federal Bureau of Investigation (FBI) and cybersecurity specialists confirmed unidentified threat actors breached a legitimate, vulnerable email server, sending this spam email: (links added for informative purposes)
Subject: Urgent: Threat actor in systems
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to black hole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fast flux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord. We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we cannot interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group
The FBI confirmed our teams’ findings that the emails were, in fact, sent from the Law Enforcement Enterprise Portal system, used for communication between state and local officials. According to cybersecurity experts, the hackers didn’t appear to have gained access to internal databases containing state secrets or classified information. The FBI reports no PII (Personally Identifiable Information) data was accessed by unauthorized actors.
Further, the email did not include any malicious attachments, which is the common success trigger for 96% of phishing/ransomware attacks. Although the vulnerability was found and publicly revealed, the hackers didn’t seem to have a particular plan to further exploit it (for money or gain), which a hacktivist or criminal group would have done. Although the compromised hardware “was taken offline quickly upon discovery of the issue,” the FBI said, “This is an ongoing situation.” They also stated, “Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Thankfully, the “Urgent: Threat actor in systems” email has been deemed a hoax; however, it is not something that warrants a sigh of relief. This is a prime example that highlights how basic communication, like email, can easily be weaponized for mass destruction. Hoax or not, Omega Systems always views this type of breach as worrisome, especially when it comes to the safety and security of our Nations’ people and businesses.