Disastrous cyber attack on email provider wipes US servers and backups

A cyber attack on email provider VFEmail caused “catastrophic destruction,” with hackers wiping the servers and backups.

Some cyber attacks are so disastrous that there’s no coming back from them. Email provider VFEmail worried that was the case when it said a hacker caused “catastrophic destruction” on Monday by destroying all data on U.S. servers, as well as the backup systems.

On Monday morning, after VFEmail’s site, servers, and webmail client went down, VFEmail tweeted:

A few hours later, VFEmail said it caught a hacker trying to format a backup server:

VFEmail then tweeted, “I fear all US based data may be lost.” The unknown attacker had wiped all the disks on every server:

The hacker was out for blood — “just attack and destroy.”

In one fell swoop, an attacker had destroyed VFEmail’s “entire infrastructure.” As for the “scary part,” Romero tweeted:

On Monday, free users were advised to “not attempt to send email” because “there is currently no delivery for free accounts.” The incident page warned: “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

VFEmail service has since been restored, and new mail is being delivered. Today, users were advised, “If you are unable to login, send yourself an email from another location. Receipt of an email creates your new mailbox.” The email provider is discussing possible data recovery options with an unnamed vendor.

As pointed out by Krebs on Security, this is far from the first time that VFEmail has been the victim of a targeted attack. It was disrupted by DDoS attacks in 2015, 2017, and 2018 when Romero tweeted, “After 17 years if I was planning to shut it down, it’d be shut down by me – not script kiddies.”

More cybersecurity news

Researchers devise method to hide malware in Intel systems so antivirus can’t get to it

While we’re on the topic of scary stuff, security researchers came up with a new technique to hide malicious code from security software on systems that have Intel processors by burying the malware in the secure memory of Intel SGX enclaves. In addition to writing a research paper (pdf), the researchers also published proof-of-concept code that can bypass “ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds.”

Websites and companies hacked

Sixteen sites were hacked and then the resulting 617 million account details were stolen and put up for sale on the dark web; the data is selling for less than $20,000 in bitcoin. According to The Register, the hacked sites included 500px, MyFitnessPal, Dubsmash, MyHeritage, Whitepages, Fotolog, ShareThis, HauteLook, 8fit, EyeEm, Artsy, Animoto, BookMate, Armor Games, CoffeeMeetsBagel, and DataCamp.

Speaking of hacked, Dunkin Donuts admitted (pdf) to suffering another credential stuffing attack – it’s the second time in a three-month period.

Also, Truluck’s Seafood, Steak & Crab House announced the compromise of payment card information after it was notified by the FBI about potential unauthorized access. Affected customers will have made purchases between November 21, 2018, and December 8, 2018, at the following locations: Houston (Downtown), Houston (The Woodlands), Dallas, Austin (Downtown), Austin (Arboretum), Naples, Southlake, and Chicago.

Apophis Squad hacker faces 11-count federal indictment

Remember in December when hundreds of schools and businesses received fake bomb threat emails? The Justice Department announced that the FBI had arrested a 20-year-old North Carolina man who is part of the hacking group Apophis Squad. Timothy Vaughn faces an 11-count federal indictment that could land him a maximum sentence of 80 years in prison. The second defendant, and 19-year-old alleged leader of the group, was arrested in the U.K. last year and sentenced to three years in prison for making a bogus threat targeting an airliner.

You may remember when the Apophis Squad had bragged:

Amusing tweets from the week

  • “Beg bounty” – new term for the day
  • A true, yet funny comment by security expert Jeremiah Grossman in response to the question, “Without using the title of your job, tell me what you do.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!