Jump to content
Scot's Newsletter Forums
securitybreach

Hackers wipe US servers of email provider VFEmail

Recommended Posts

Holy crap:

[quote]
"Hackers have breached the severs of email provider VFEmail and wiped the data from all its US servers, destroying all US customers' data in the process. The attack took place yesterday, February 11, and was detected after the company's site and webmail client went down without notice.

"At this time, the attacker has formatted all the disks on every server," the company said yesterday. "Every VM is lost. Every file server is lost, every backup server is lost." "This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy," VFEmail said.".....

[img]https://i.imgur.com/ZQ67LU2.png[/img]

It is rare that hackers take steps to wipe out an entire company's data. Most attacks usually end up with hackers using compromised servers for other attacks (like running botnets or hosting malware), or with hackers asking for a ransom payment from hacked victim[/quote]

[url="https://www.zdnet.com/article/hackers-wipe-us-servers-of-email-provider-vfemail/"]https://www.zdnet.co...ovider-vfemail/[/url]

I have a feeling that this was state sponsored due to the fact that they didn't ask for any ransom. Only a script kiddie would do that and it was something that would probably take a team to accomplish. No one would would do this without wanting a payout of some sort.. Then again, someone could of used their servers for something malicious and then deleted their tracks. Who knows...

Share this post


Link to post
Share on other sites
VFEmail? Never heard of it.

That would get really ugly if they did that with a popular email provider like Gmail or Yahoo or an ISP mail like AOL/Verizon. :(

Share this post


Link to post
Share on other sites
[quote]Founded in 2001 and based in Milwaukee, Wisc., VFEmail provides email service to businesses and end users.[/quote]
Source: https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/

Looks like they tried to wipe more.
[quote]Two hours later, VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in The Netherlands.[/quote]

Share this post


Link to post
Share on other sites
[quote name='V.T. Eric Layton' timestamp='1550061108' post='458707']
VFEmail? Never heard of it.

That would get really ugly if they did that with a popular email provider like Gmail or Yahoo or an ISP mail like AOL/Verizon. :(
[/quote]
[quote name='securitybreach' timestamp='1550061280' post='458708']
[quote name='V.T. Eric Layton' timestamp='1550061108' post='458707']
VFEmail? Never heard of it.[/quote]

Yeah, me neither :ermm:
[/quote]
That's what was good about it. It was a decent email provider, and most hackers hadn't ever heard of it.

I used to use it as my main/default, but eventually the spammers discovered it, and some ISPs would occasionally block it.
Looks like the spammers did me a favor, I got a new default in 2014,

Share this post


Link to post
Share on other sites
They gave us a new POP server. It appears to work.
Webmail is working but it's apparently a new mailbox.
Instructions are on their incident page [url="https://www.vfemail.net/incident.php"]https://www.vfemail.net/incident.php[/url]
If you use IMAP, read the instructions, before you do anything.

I already told people not to use my VFEmail address. I think I'll leave it that way for now. Edited by Pete!

Share this post


Link to post
Share on other sites
The VF in VFEmail stood for "virus free". "Back in the day" they were one of the only ones advertising free email with virus scanning.

They also provided a non-standard SMPT port at a time when most ISPs blocked port 25. That was a good feature back in the days of 'free dial-up' when people were constantly changing ISPs, or using more than one ISP to get around time limits some of them imposed.

Share this post


Link to post
Share on other sites
[quote name='Pete!' timestamp='1550097758' post='458728']
The VF in VFEmail stood for "virus free". "Back in the day" they were one of the only ones advertising free email with virus scanning.

They also provided a non-standard SMPT port at a time when most ISPs blocked port 25. That was a good feature back in the days of 'free dial-up' when people were constantly changing ISPs, or using more than one ISP to get around time limits some of them imposed.
[/quote]

I was around and on computers back then but I generally used compuserv or prodigy and then earthlink later on.

Share this post


Link to post
Share on other sites
[quote name='zlim' timestamp='1550066976' post='458710']
[quote]Founded in 2001 and based in Milwaukee, Wisc., VFEmail provides email service to businesses and end users.[/quote]
Source: [url="https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/"]https://krebsonsecur...astrophic-hack/[/url]

Looks like they tried to wipe more.
[quote]Two hours later, VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in The Netherlands.[/quote]
[/quote]

The Krebs article was fascinating. Thanks, Liz! I read the comments
all the way to the end. My reaction- the commenter who suggested
someone was trying to eliminate evidence may have nailed it. A lot
of that going on in recent years. But the usual problem is that so many
'crumbs' are left scattered around when someone tries to eradicate
records. Probably a lot of emails locally cached in individual
desktops and servers. It would be difficult but not impossible to
partially recover some small part of the whole. Perhaps one would
start with a complete list of subscribers to that service (if one still'
exists!) It strikes me that no one short of a major govt investigative
agency would have the resources, however. Sound likes some actor-
and I'm betting state actor here- felt they needed to put a stake through
the heart of this service, especially as they assessed that it would
be fairly easy and thoroughly devastating to do so. While not ruling
out sheer malice here, it sounds like a far deeper and more
sinister purpose was in play IMO... Yikes! Was that service really
set up that shaky and vulnerable?

Clutter

Share this post


Link to post
Share on other sites
I agree with your assessment Clutter :thumbsup:

Well except for this part:
[quote][color=#282828][font=helvetica, arial, sans-serif]It strikes me that no one short of a major govt investigative [/font][/color][color=#282828][font=helvetica, arial, sans-serif]agency would have the resources[/quote][/font][/color]

[color=#282828][font=helvetica, arial, sans-serif] I think that would be the opposite as its easier for a private organization to pull together resources as they do not have to deal with all the red tape and inter-agency problems.[/font][/color]

Share this post


Link to post
Share on other sites
[quote name='Cluttermagnet' timestamp='1550662374' post='458780']
.........Perhaps one would start with a complete list of subscribers to that service (if one still'
exists!) ......
[/quote] I suspect that they do. All it took to re-create my account (without the contents) was logging into the webmail, on the "nl101.vfemail.net" server. They had (at least) the usernames and passwords left.

However, users of the free accounts really had no reason to use their real names and addresses when registering.

Share this post


Link to post
Share on other sites
[quote name='securitybreach' timestamp='1550665725' post='458781']
I agree with your assessment Clutter :thumbsup:

Well except for this part:
[quote][color=#282828][font=helvetica, arial, sans-serif]It strikes me that no one short of a major govt investigative [/font][/color][color=#282828][font=helvetica, arial, sans-serif]agency would have the resources[/quote][/font][/color]

[color=#282828][font=helvetica, arial, sans-serif]I think that would be the opposite as its easier for a private organization to pull together resources as they do not have to deal with all the red tape and inter-agency problems.[/font][/color]
[/quote]

Ahhh, point well taken... Yep, I think you're right about that!

Share this post


Link to post
Share on other sites
Hello,

I think a state actor would be more targeted; their modus operandi is usually to slip in unnoticed, and make changes so that it seems they were never there. This seems, not clumsy, but, well, attention-generating. It may have been an act by a commercial entity in an attempt to cover their tracks, or an attempt of some sort to send a message, although what that might be and who it was for may never be known.

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites
I was unable to login this morning, neither by webmail nor email client.
The "Incident page" doesn't have any entries newer than 2/17/19, so I don't have a clue about what happened.

Share this post


Link to post
Share on other sites
[quote name='Pete!' timestamp='1552309470' post='458890']
I was unable to login this morning, neither by webmail nor email client.
[/quote]

I experienced the same thing yesterday morning with their webmail. It came back online later in the day and seems to be working fine today.

Share this post


Link to post
Share on other sites
Yes, it's wo
[quote name='zlim' timestamp='1552311830' post='458892']
I see there are 2 login pages
[url="https://www.vfemail.net/horde5/login.php"]https://www.vfemail....orde5/login.php[/url]
[url="https://www.vfemail.net/roundcube/"]https://www.vfemail.net/roundcube/[/url]

did you try both?
[/quote]
Actually (depending on how you count) five ways. I tried webmail on the both servers, both ways each.
I also have Thunderbird set up for their new server. Since the webmail didn't work on either server, I didn't try changing it back to the old server, I'm not counting on it anymore, so my interest was only curiosity.

[quote name='Lost' timestamp='1552386923' post='458898']
[I experienced the same thing yesterday morning with their webmail. It came back online later in the day and seems to be working fine today.
[/quote]
Yes it's working now. Both [size="-1"]Horde5 and RoundCube on the web as well as via the Thunderbird client (all using nl101.vfemail.net).[/size]
There are NO new entries on the "incident page".

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...