On Saturday, November 13, an email server hosting the LEEP (Law Enforcement Enterprise Portal) within the Federal Bureau of Investigation (FBI) was exploited by a miscreant who exploited a configuration error. The misconfiguration appears to have been within the LEEP registration process, where password data was embedded. The email server was not the primary FBI email server supporting the FBI.
What is known is the emails were originated from the compromised LEEP email server, though not by the FBI. According to Bleeping Computer, the email was sent to approximately 100,000 addressees, whose emails were scraped from American Registry for Internet Numbers (ARIN) database.
A look at the English language word choice within the text (see below) is indicative of the email being written by an individual for whom English may be a second language. Additionally, the heavy use of cybersecurity buzzwords reads as if it is designed to trigger keyword filters. The email should have also been caught by many spam filers as a suspicious, albeit from a known and confirmed good address.
An example of the received email is provided by Kevin Beaumont via a Tweet.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverload. We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research, we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group.”
The purpose of this effort has not yet been determined, yet a few purposes come to mind.
- Discredit individual named within the text (Vinny Troia is a prominent cybersecurity researcher).
- Scare the recipient, letting them know that their infrastructure may be in danger and cause operational cycles to be expended.
- Cause the recipient to respond to the email, which will invoke an automated response to call a help desk – thus potentially overwhelming the FBI help desk.
- Test run of an adversary’s CONOPS (Concept of Operations) and the reception of the email by the scraped email addressees.
- Embarrass the FBI on having their LEEP registration process poorly configured.
Director CISA, Jen Easterly, issued a statement via Twitter which acknowledged CISA was supporting the FBI in their investigation.
We’re aware of this incident and engaged with our @FBI teammates. As always, we stand ready to support as needed. https://t.co/PfDH2eujWF
— Jen Easterly🛡️ (@CISAJen) November 13, 2021
FSOs should share the FBI’s statement, issued on November 14 with possible recipients of the LEEP fake email, no further action is required.
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
