On Saturday, November 13, an email server hosting the LEEP (Law Enforcement Enterprise Portal) within the Federal Bureau of Investigation (FBI) was exploited by a miscreant who exploited a configuration error. The misconfiguration appears to have been within the LEEP registration process, where password data was embedded. The email server was not the primary FBI email server supporting the FBI.

What is known is the emails were originated from the compromised LEEP email server, though not by the FBI. According to  Bleeping Computer, the email was  sent to approximately 100,000 addressees, whose emails were scraped from American Registry for Internet Numbers (ARIN) database.

A look at the English language word choice within the text (see below) is indicative of the email being written by an individual for whom English may be a second language. Additionally, the heavy use of cybersecurity buzzwords reads as if it is designed to trigger keyword filters. The email should have also been caught by many spam filers as a suspicious, albeit from a known and confirmed good address.

An example of the received email is provided by Kevin Beaumont via a Tweet.

“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverload. We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research, we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group.”

The purpose of this effort has not yet been determined, yet a few purposes come to mind.

  • Discredit individual named within the text (Vinny Troia is a prominent cybersecurity researcher).
  • Scare the recipient, letting them know that their infrastructure may be in danger and cause operational cycles to be expended.
  • Cause the recipient to respond to the email, which will invoke an automated response to call a help desk – thus potentially overwhelming the FBI help desk.
  • Test run of an adversary’s CONOPS (Concept of Operations) and the reception of the email by the scraped email addressees.
  • Embarrass the FBI on having their LEEP registration process poorly configured.

Director CISA, Jen Easterly, issued a statement via Twitter which acknowledged CISA was supporting the FBI in their investigation.

FSOs should share the FBI’s statement, issued on November 14 with possible recipients of the LEEP fake email, no further action is required.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

 

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com