Email provider VFEmail suffers ‘catastrophic’ cyber attack

VFEmail.net, a US-based email provider, suffered a ‘catastrophic destruction’ in a single cyberattack.
14 February 2019

How secure is your email provider? Source: Shutterstock

“We have suffered a catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9. The person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”

That was the chilling message that is on the vfemail.net website as of its last update on the 11th of February.

Founded in 2001, the company has essentially lost 18 years’ worth of email data in one fell swoop. Apparently, the hacker formatted all the disks on every server.

VFEmail’s founder, Rick Romero, took to Twitter to announce that the service is “effectively gone”.

It seems the company caught the hacker as they were in the process of formatting the backup server but could not respond fast enough.

According to the Computer Business Review, the data wipe was so extreme that both paid and free accounts no longer have existing mailboxes.

Even the delivery mechanism that enabled free account holders to send mail no longer exist, so the entire functionality has essentially disappeared.

The company said no demands were made prior to the attack. Back in 2015, Romero detailed extortion attempts from Armada Collective in a blog post.

“Strangely, not all virtual machines [VMs] shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy,” VFEmail wrote to the publication.

Romero was quick to point out that the mail hosts, VM hosts, SQL server clusters and hosted VMs all had unique passwords, but the hacker managed to obtain all of them and proceed to destroy the entire infrastructure.

According to Ars Technica, the IP address that was linked to the hacker had ties to Daticum and Coolbox hosting services, both in Bulgaria.

Romero tweeted that the IP address is a VM host and that it could have been a launch pad to reformat an SQL cluster and hit off-site NL hosted VMs at the same time.

He said the hacker used multiple means to access onto the VFEmail infrastructure and even two-factor authentication (2FA) may not have been enough to thwart the attack.

“2FA only works if the access method was via authentication, as opposed to exploit,” he explained. “At least 3 different methods had to be used to get into everything.”

Romero told CNET that some VFEmail users who did not want their email stored in the US had it stored on servers in the Netherlands, but that data was also destroyed.

Interestingly, the provider’s backup was intact, so data in the Netherlands was restored, but Romero was quick to point out that it’s nowhere near a full restore.

Balaji Parimi, CEO of CloudKnox Security, talking to InfoSecurity Magazine, said, “enterprises need to do a better job of mitigating the threat of over-privileged identities”.

“It begins with gaining an understanding of which identities have access to the types of privileges that can destroy their business and limiting those privileges to properly trained, security-conscious personnel,” he added.

One could say that attacks like this also raise questions about a company’s disaster recovery plans and how it goes about not just securing, but securely backing up its customers’ data in the case of a breach.