On the evening of November 13, 2021, the FBI and CISA responded to multiple reports regarding messages sent from the FBI’s email infrastructure, which falsely warn users about a cyber attack. Their brief statement noted that the law enforcement agencies are aware of the incident, and that impacted systems were taken offline for remediation.
The FBI and CISA recommended that users exercise caution with emails from unknown senders and report any suspicious activity to ic3.gov or CISA.gov. Barracuda MSP is also aware of this ongoing situation and has added all relevant Indicators of Compromise to our threat intelligence so that SKOUT Log and Network Security Monitoring can detect this activity.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Due to a vulnerability in the FBI and Department of Homeland Security’s Law Enforcement Enterprise Portal (LEEP), which serves as a secure platform to share information with other criminal justice organizations, threat actors were able to send two waves of false emails late at night on November 12 to tens of thousands of users.
In the early hours of November 13, threat intelligence professionals confirmed that the perpetrators sent thousands of emails from the FBI and Department of Homeland Security’s LEEP portal and email infrastructure. However, they also confirmed that these warnings were fake, and targeted email addresses that were scraped from the American Registry for Internet Numbers (ARIN) database.
According to reports, a one-time passcode designed to validate LEEP applicants was embedded in the HTML code of the FBI’s website and allowed threat actors to send their emails from the FBI’s communication systems.
WHY IS IT NOTEWORTHY?
These hoax emails are the result of a serious abuse of the FBI’s code. Because the emails originated from a legitimate FBI URL associated with the FBI’s Criminal Justice Information Services (ic.fbi.gov), the threat actors created a lot of panic and confusion, as recipients realized that these emails were really coming from FBI infrastructure.
WHAT IS THE EXPOSURE OR RISK?
Threat actors were able to send their hoax email to tens of thousands of users (including many Managed Service Providers) from the ARIN database. While the cyber criminals responsible did not attempt to trick recipients into providing sensitive information, this poses a serious risk and indicates that similar compromises could create equally widespread exposure and untold damage for organizations that believed these messages were legitimate.
WHAT ARE THE RECOMMENDATIONS?
Currently, the FBI and CISA is encouraging the public to exercise caution with unknown senders and to report suspicious activities to them at ic3.gov or CISA.gov.
Please also note that Barracuda MSP has added all relevant IOCs to its threat intelligence and has implemented custom rules into SKOUT Log and Network Security Monitoring to detect suspicious activity.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.