VFEmail email provider suffers ‘catastrophic’ hack – Krebs on Security
Email Provider VFEmail suffered what the company calls “catastrophic destruction” at the hands of an as yet unknown intruder who trashed all of the company’s main and backup data in the United States. The company founder says he now fears that some 18 years of customer email will be gone forever.
Founded in 2001 and headquartered in Milwaukee, Wisc., VFEmail provides email service to businesses and end users. The first signs of the attack emerged on the morning of February 11, when the company’s Twitter account began sending reports from users claiming they were no longer receiving messages. VFEmail’s Twitter account replied that “the external systems, of different operating systems and remote authentication, in several data centers are down”.
Two hours later, VFEmail tweeted that he had caught a hacker formatting one of the company’s mail servers in the Netherlands.
“Nl101 is enabled, but no incoming email”, read a tweet shortly after. “I’m concerned that all US-based data is lost.”
“At this point, the attacker has formatted all the disks on each server,” VFEmail wrote. “Each VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Oddly enough, not all virtual machines shared the same authentication, but all were destroyed. It was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.
In an update posted to the company’s website, owner of VFEmail Rick romero wrote that a new email was being delivered and efforts were being made to recover user data that could be recovered.
“At this time, I’m not sure what the status of the existing mail is for US users,” Romero wrote. “If you have your own email client, DO NOT ATTEMPT TO MAKE IT WORK. If you reconnect your client to your new mailbox, all of your local mail will be lost.
Reached by KrebsOnSecurity on Tuesday morning, Romero said he was able to recover a backup drive hosted in the Netherlands, but feared all mail from US users was irretrievably lost.
“I don’t have very high expectations for US data recovery,” Romero said in an online chat.
Jean Senchak, a longtime VFEmail user from Florida who has also been a loyal reader and commentator of this blog, told KrebsOnSecurity that the attack completely wiped out his company inbox – some 60,000 emails sent and received over more than a decade.
“I have an account on this site, all emails in my account have been deleted,” Senchak said.
When asked if he had any clues about the attackers or how they might have broken in, Romero said the intruder appeared to be doing his dirty work from a Bulgaria-based server (94.155.49, username “aktv.”)
“I haven’t dug much into the cast yet,” he said. “It looked like the IP was a Bulgarian hosting company. So I guess it was just a virtual machine they were using to launch the attack. There was definitely something someone didn’t want to find. Or, I really pissed someone off. It is always possible.
This is not the first time that criminals have targeted VFEmail. I wrote about the company in 2015 after it suffered a debilitating Distributed Denial of Service (DDoS) attack after Romero refused to pay a ransom note from an online extortion group. Another round of DDoS attacks in 2017 forced VFEmail to find a new hosting provider.
In December 2018, Romero tweeted the service was disrupted by a DDoS attack it attributed to “script kiddies,” a mocking reference to low-skilled online hooligans.
“After 17 years, if I planned to shut it down, I would be the one shutting it down – not the script kiddies”, Romero wrote December 8.
Attacks that seek to completely destroy data and servers without any warning or extortion request are not as common as, say, ransomware infestations, but when they do occur they can be devastating (the Sony hack Pictures in 2014 and the 2016 unresolved assault on the US ISP Staminus comes to mind).
It is not known whether or how VFEmail will recover from this latest attack, but such actions are a disturbing reminder that while most cybercriminals have some sort of short- or long-term profit motive in mind, an intruder with In addition, they can destroy virtually anything within their reach, as they can plant malware or extortion threats like ransomware.