A US-based Email Provider Suffers a Catastrophic Breach

Cloud based email provider VFEmail has suffered from a major cyber-attack, where a hacker who accessed its network was able to erase the company’s primary and backup data in the United States.

Key Details

• On 11, February of 2019, hackers breached the servers of email service VFEmail.net and wiped the data from all its US servers, destroying all US customers’ data.

• VFEmail later issued an alert via its website and social media warning, “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.” (VFEmail).

• In an update, VFEmail owner Rick Romero wrote that it is unknown who is behind the destructive attack and how the hack was pulled off.

• There was no indication that the hacker had warned or contacted the site for any sort of ransom or demand before the attack happened, suggesting the point was to completely wipe out the webmail service.

• On the company’s website Romero noted the malicious actor pointed to an IP address 94.155.49.9 and the username “aktv”, which appeared to be a virtual machine registered in Bulgaria.

Supporting details

• “Romero believes the malicious actor behind the above-mentioned IP address most likely used a virtual machine and multiple means of access onto the VFEmail infrastructure to carry out the attack, and as a result, no method of protection, such as 2-factor authentication, would have protected VFEmail from the intrusion” (The Hacker News).

• VFEmail tweeted. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

• On February 20, VFEmail noted data up to August 2016 has been recovered, and will not be shutting down.

• This is not the company’s first time being under attack. In 2015 the company suffered a debilitating DDoS attack after a ransom wasn’t paid and in 2017 another series of DDoS attacks that forced VFEmail to find a new hosting provider (SC Media).

Significance

This attack is significant to the growing number of businesses transitioning from hosting their own email at their office to using a major third-party cloud email provider. Many businesses use Microsoft Office 365, Google G Suite, Cox, and VFEmail to name a few. Both small and large email providers have backups to protect their infrastructure, and customer data. If they are attacked, or they have some type of issue with their servers, they have backups in place ready to go. However, if a hacker gains access to their cloud email and wipes all their data, that email service provider is not responsible for that lost data. This shows the importance of effectively backing up your information on a regular basis to protect your information in case of an attack or disaster. The purpose of having a disaster recovery plan in place, is to ensure proper measures and backup options are implemented to recover the systems state. Showing the importance of having confidence in the integrity, and availability of our systems.

Best Practice Takeaways from this incident

1. Develop and test your Disaster Recovery Plan.
2. Don’t store production and backup data together.
3. Have online and offline backups.
4. Use Privilege Access Management Solutions to automatically rotate your passwords and ssh keys.
5. Patch management should be a priority.

Sources

VFEmail. VFEmail Incident Page 11 Feb 2019

Info Security. VFEmail Suffers Catastrophic Attack, All Data Lost 12 Feb 2019

Ars Technica. “Catastrophic” hack on email provider destroys almost two decades of data 12 Feb 2019

Threat Post. Attackers Completely Destroy VFEmail’s Secure Mail Infrastructure 12 Feb 2019

The Hacker News. Hackers Destroyed VFEmail Service 13 Feb 2019

ZDNet. Hackers wipe US servers email provider VFEmail 12 Feb 2019