Misconfiguration in the FBI's LEEP platform permits a hacker to distribute bogus alerts.
Messages that looked as if they were from the FBI early Saturday morning came from Bureau servers, specifically from the Law Enforcement Enterprise Portal (LEEP), a platform used to communicate with the FBI's partners in state and local law enforcement, but were in fact sent by hackers, not the FBI. The Bureau issued a terse, preliminary statement later Saturday, updated on Sunday:
"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
Twitter threads (from SpamHaus and Kevin Beaumont) provided an interesting early account as the emails appeared. The emails originated from FBI servers: their headers show an origin verified by the Domain Keys Identified Mail (DKIM) system. SpamHaus reproduced the headers: "Sending IP: 18.104.22.168 (http://mx-east-ic.fbi.gov)" "From: firstname.lastname@example.org" and "Subject: Urgent: Threat actor in systems." The bogus warning posted by the hackers read as follows:
"Our intelligence monitoring indicated exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fast flux technologies which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe."
And it's signed "U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group."
KrebsOnSecurity calls out poor coding on the FBI's Criminal Justice Information Services portal, a service used for sharing law enforcement information. The hacker who counted coup (nom de hack Pompompurin) told KrebsOnSecurity that he did what he did to show up poor security practices at the FBI, and indeed the Bureau has some digital egg on its virtual face.
There's also a gratuitous (and facially ridiculous) shot at Vinny Troia (founder of security firms NightLion and Shadowbyte) asserting that he's a known associate of the DarkOverlord criminal actor. (NightLion published an account of the DarkOverlord and the ShinyHunters back in January.) BleepingComputer points out that Troia has long been the object of taunts and defamation from some of the lulzsters over at RaidForums. They typically warn Mr. Troia when they're about to mess with him, and they did so this time as well. Troia retweeted their message: "@vinnytroia you're about to get lit up today.... Spam attack involving your name."
Pompompurin has also been offering to sell data leaked from Robinhood.
Not content with goofing on the FBI (and other actual grown-ups like security researcher Troia), hacker Pompompurin is offering the low-grade content of the Robinhood stock-trading platform for sale, SecurityWeek reports. The big, five-million figure quoted is for the most part simply user emails; about 310 had more data stolen, but even theirs fell short of fullz, including as they did name, date of birth, and zip code. It's not clear whether Pompompurin has the goods ("inconclusive," SecurityWeek's sources say), nor is it clear how valuable those goods would be in any case.