Email provider VFEmail was hit by a destructive attack, where a hacker who accessed its network was able to erase its servers in the United States, including the backup systems.
“We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the company writes on its website.
Established in 2001, the company provides email services and claims to provide increased email security through scanning all incoming messages and attachments for viruses and blocking malicious content via a gateway, before reaching its servers.
However, this incident shows that user data was not protected with appropriate measures.
On Monday, the email provider announced that their external facing systems in multiple datacenters were down after a hacker “last seen as [email protected]” started formatting the servers. Based on the IP address, the hacker appears to have been operating out of Bulgaria, but could have been working from anywhere via a VPN.
The company says it might have lost all user data stored on the affected servers. “I fear all US based data may be lost,” a tweet posted yesterday reads.
The company recommends that users do not attempt to reconnect their own email clients, as all local email will be lost. Following the incident, all mailboxes are emptied.
“At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost,” VFEmail said on Twitter.
The company’s servers in the Netherlands, which was 100% hosted with a vastly smaller dataset, survived the attack because the backups by the provider remained intact. This allowed the email provider to restore its service there.
The hacker was able to destroy all virtual machines despite the fact that not all of them shared the same authentication, the company revealed.
“This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail said.
The attack was discovered and stopped at a time the perpetrator was formatting one of the servers, but the company is uncertain whether that specific server is recoverable. At the moment, however, it looks as if most of the company’s infrastructure is lost.
As Terence Jackson, Chief Information Security Officer at Thycotic, pointed to SecurityWeek in an emailed comment, this might have been either a brute force attack or the result of credential stuffing. To avoid such disasters, production and backup data should never be stored together and both online and offline backups should be kept, he says.
"This type of attack highlights the importance of having, updating and testing your Disaster Recovery/Business Continuity plans often and using a Privileged Access Management solution. The about page on the site shows a network diagram that does include an offsite backup server attached to the public internet. At this point, I believe we have more questions than answers,” Jackson said.
"This kind of destructive attack, with no stated motive or demands, is quite rare. An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea,” Chris Morales, head of security analytics at Vectra, told SecurityWeek.
“The first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware,” Morales continued.
“The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way. Critical systems, such as these that host customer data, must be protected with enhanced security and all operations must be protected using intelligent Multi-Factor Authentication solutions. If those controls were in place, an operation that deviates from trusted behavior would have raised the friction towards the attackers and provide immutable logs showing that the attack was in progress, allowing VFEmail to react quickly and potentially stop the breach before data was destroyed,” Fausto Oliveira, Principal Security Architect at Acceptto, told SecurityWeek.
Related: Destructive Xbash Linux Malware Targets Enterprise Intranets
Related: Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets