Nobody is safe: even the FBI victim of a cyber attack

Some would call it a showdown but the fact remains that some made it and the systems of the inviolable FBI were also the victims of a cyber attack. According to reports from cybersecurity expert Brian Krebs a few days ago the Federal Bureau of Investigation (FBI) saw his domain name and internet address used to send bogus emails . The FBI then confirmed the truthfulness of the news on Saturday 13 November, stating that the offending server was immediately disconnected from the network.

The attack on the FBI

We try to reconstruct what happened and understand the origins of such an epochal violation. Late in the evening of Friday, November 12th, thousands of emails were sent from eims@ic.fbi.gov, registered in the FBI government domain . The emails contained misleading information about an alleged cyber attack to protect against in a completely legitimate context and were initially discovered by The Spamhaus Project , a non-profit organization that investigates spammers.

fbi cyber attack

Looking in detail at the header of the message, the From field of the email correctly contained the address of the Government Agency server, making it legal. In the meantime, KrebsOnSecurity also received a similar email in which it was asked to verify the veracity of the attack by Pompompurin, the code name of a user.

In this way, Pompompurin wanted to demonstrate the vulnerability of the information systems of the American agency, exploiting them for his own ends and showing off his skills. However, the bug was indeed there and it was colossal.

A huge vulnerability at one of the FBI sites

One of the sites made available in the government domain fbi.gov is the Law Enforcement Enterprise Portal (LEEP), used by investigators and intelligence agencies to share information internally. To access this portal, as always happens, you go through a registration process using forms in which to enter your information. At the end of the procedure, a confirmation e-mail containing a single-use code is sent to the user who registers to complete the process and therefore authenticate himself.

Here the beauty begins comes the most interesting part. In fact, the single-use code is generated at runtime on the client side and, at the same time, the browser generates a request for the web server. The request is used to start the confirmation e-mail and contains all the fields necessary to prepare the e-mail message. Basically, the management of user confirmation is all left to the execution of the client-side browser.

fbi cyber attack

The attacker was therefore able to modify the POST sent to the server by entering the custom Subject and Body fields . Finally, thanks to a script, it was possible to automate the attack, sending thousands of e-mails from an FBI domain.

The FBI's reply to the cyber attack

On Sunday, November 14, a further note arrived from the FBI, in which it ensured that the server was only used to send LEEP notifications but that it was not part of the internal email network. In addition, the FBI specified that there were no unauthorized access to internal systems or sensitive information .

The bug was promptly corrected but the attack clearly speaks to how attentive sensitive targets are at the national level. And the trend of attacks continues to grow in recent times not only from a phishing point of view. Furthermore, the lack of attention to safety seems increasingly evident and continues to be seen as a cost rather than an investment.

Article No One Safe: FBI Cyber ​​Attack Victim Also Comes From Tech CuE | Close-up Engineering .