You should always vet any federal contacts outside of established channels with your FBI liaison before responding.
Aaron > On Nov 13, 2021, at 10:34 AM, Glenn McGurrin via Outages > <outages@outages.org> wrote: > > not quite an outage, more a hack, but thought it relevant. As always > replies to -discussion unless someone sees an official statement from the FBI > or other government agencies (I have not seen one yet). > > I had a bit of an odd one this morning, I received two emails through > contacts listed in whois subject: "Urgent: Threat actor in systems" from > "e...@ic.fbi.gov". I was all set to ignore them as an odd bit of spam but > did a quick check on the headers and was surprised to see it had valid dkim > and spf and was from an actual FBI IP, queue real worry starting (as odd and > off as the email content was, it's a lot more real when suddenly it's either > legit or the FBI got hacked to send the email). Luckily (for some definition > of lucky) it looks like it was a case of something being hacked on the FBI's > end as calling they immediately knew what I was calling about and said they > had dealt with the compromised equipment. Further googling after that call > shows a few more reports of this ex. > https://twitter.com/spamhaus/status/1459450061696417792 and > https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966 > but I'd figured to mention it here so others don't get caught quite as off > guard. > > Best guess I can come up with is it's an attempt to ruin the person mentioned > in the email's name and/or promote the name of the mentioned gang. The > specifics seem off for trying to get someone swatted given if you thought > this was real what local agency would want to storm a federal operation with > swat agents, and if you thought this was all fake, then you wouldn't go > either. That or create FUD for any other warnings issued and distract from > something else going on. > > > Full body of the email: > > Our intelligence monitoring indicates exfiltration of several of your > virtualized clusters in a sophisticated chain attack. We tried to blackhole > the transit nodes used by this advanced persistent threat actor, however > there is a huge chance he will modify his attack with fastflux technologies, > which he proxies trough multiple global accelerators. We identified the > threat actor to be Vinny Troia, whom is believed to be affiliated with the > extortion gang TheDarkOverlord, We highly recommend you to check your systems > and IDS monitoring. Beware this threat actor is currently working under > inspection of the NCCIC, as we are dependent on some of his intelligence > research we can not interfere physically within 4 hours, which could be > enough time to cause severe damage to your infrastructure. > Stay safe, > U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | > Network Analysis Group > _______________________________________________ > Outages mailing list > Outages@outages.org > https://puck.nether.net/mailman/listinfo/outages _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
