Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/12/2019
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Devastating Cyberattack on Email Provider Destroys 18 Years of Data

All data belonging to US users-including backup copies-have been deleted in catastrophe, VFEmail says.

An unknown attacker appears to have deleted 18 years' worth of customer emails, along with all backup copies of the data, at email provider VFEmail.

A note on the firm's website Tuesday described the attack, first reported by KrebsOnSecurity, as causing "catastrophic destruction."

"This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can," the note read. VFEmail was established in 2001 and provides free and paid email services, including bulk email services in the US and elsewhere.

The attack, described in a series of tweets from the firm, seems to have occurred on Monday and had targeted all VFEmail's externally facing servers across data centers. Though the servers were running different operating systems and not all shared the same authentication, the attacker managed to access each one and reformat them all the same.

The firm apparently caught the perpetrator in the middle of formatting a VFEmail backup server hosted in the Netherlands. But by that time, the attacker had already managed to form all disks on every other VFEmail server. "Every VM is lost. Every file server is lost, every backup server is lost," according to one of the company's tweets.

The attacker sent no ransom notes and appears not to have made any attempt at contacting VFEmail. The motive seems to have been "just attack and destroy," the company said.

Restoration

An update posted late Monday afternoon said the firm had restored webmail and was once again delivering incoming mail to users of its paid services. Mailboxes were being created upon new mail delivery. "There is currently no delivery mechanism for free accounts," the update said.

The system used in the attack on the server hosted in the Netherlands had an IP address belonging to a service provider in Bulgaria. But besides that scrap of information, VFEmail did not appear to have any other information on the attacker or the attacker's motives.

Several security experts are viewing the attack as an example of the devastating consequences of not having a well thought-out strategy for secure data backup and recovery.

"This raises questions of what disaster recovery strategy was in place and why data wasn't backed up into cold storage, thus making it unavailable to attackers," said Fausto Oliveira, principal security architect at Acceptto. Companies with a strategy in place for dealing with such attacks should have been able to recover at least a substantial part of the deleted data, Oliveira said.

Chris Morales, head of security analytics at Vectra, said attacks that have such extreme consequences are rare and highlight the value of maintaining offline backups and archives of data.

"Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data," he said. Many organizations have begun using offline backups to counter potential loss from ransomware, he noted.

Such attacks also highlight the need for proper authorization controls for access to critical data, says Balaji Parimi, CEO at CloudKnox Security, told Dark Reading. "Just having a backup and disaster recovery plan is not sufficient," he says.

Organizations should also take care to avoid providing a single identity with complete administrative privileges on both primary and backup data, or having the ability to wipe data from multiple servers, he says. "Proper authorization controls need to be in place to mitigate these types of risks and reduce the blast radius," Parimi says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/13/2019 | 12:45:39 PM
Another obvious error
OFFSITE BACKUPS?  Wow, what a concept.  I am disgusted actually, a firm should always have an offsite storage bin (often cloud these days which is a bad choice).  What if the building burns down?  Flood?  Bad storm?  Any event that destroys the primary campus and some data centers should have duplicate data centers as redundancy elements.  (Delta in Atlanta for example).  i know from personal experience how offsite is.  Aon Consutling had our backup tapes go offiste one Monday morning in September, 2001.  Aon Risk services did not have that offsite removal on that day.  Steven Poulos of Risk Services was leaving the building but, well, went back up to the 103rd floor of the south tower of the World Trade Center to retrive them.  He did not make it out.  

 

Offsite - very important indeed.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9561
PUBLISHED: 2019-06-19
In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7...
CVE-2018-9563
PUBLISHED: 2019-06-19
In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 ...
CVE-2018-9564
PUBLISHED: 2019-06-19
In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Andro...
CVE-2019-2003
PUBLISHED: 2019-06-19
In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-...
CVE-2019-2017
PUBLISHED: 2019-06-19
In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 ...