Dan Goodin* reports on the hack that broke through three levels of security to close down a US email service.
Email provider VFEmail said it has suffered a catastrophic destruction of all of its servers by an unknown assailant who wiped out almost two decades’ worth of data and backups in a matter of hours.
“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter after watching someone methodically reformat hard drives of the service he started in 2001.
“It will likely not return. I never thought anyone would care about my labour of love so much that they’d want to completely and thoroughly destroy it.”
The ordeal started when he noticed all the servers for his service were down .
A few hours later, VFEmail’s Twitter account reported the attacker “just formatted everything.”
The account went on to report that VFEmail “caught the perp in the middle of formatting the backup server.”
The damage, Romero reported , extended to VFEmail’s “entire infrastructure,” including mail hosts, virtual machine hosts, and a SQL server cluster.
The extent of the damage, he suggested, required the hacker to have multiple passwords.
“That’s the scary part.”
At the time this post was going live, a status page reported that VFEmail was now delivering email again, although it wasn’t clear if service was working for US-based accounts.
The page also said that subfolders and filters users had previously set up were no longer in place. Users of free accounts shouldn’t yet send email, and no one should use email clients.
The motivation for the attack wasn’t immediately clear.
Most highly destructive attacks in recent years have been part of ransomware rackets that threaten people with catastrophic data loss unless they make big cryptocurrency payments.
But sometimes, targets don’t see the ransom messages.
It’s also possible that VFEmail fell victim to some sort of personal grudge.
Romero didn’t respond to messages seeking comment for this post.
A Web cache shows that VFEmail was founded in 2001 in response to the ILOVEYOU virus that infected tens of millions of Windows computers all around the world a year earlier.
The virus got its name because it was transmitted in emails with the subject “I love you.”
The service aimed to offer a better email experience by scanning messages for malware on the server.
“We strive to build an economical and redundant system, to provide our users with as much uptime as possible,” VFEmail’s about page said.
“As mentioned, VFEmail started with a single machine, but over time we’ve built out, adding systems for load balancing/failover and separating services.
“Most recently we’ve made use of Virtual Machines in order to keep hardware acquisitions at a minumum [sic], in those cases where it would not impact performance.
“By separating vital functions, upgrades, updates, and system problems can quickly and easily be isolated from the rest of the system and provide you with uninterrupted accessibility.”
The status page said the destruction came at the hands of a “hacker, last seen as [email protected].”
The IP address, whose records show, has ties to both Daticum and Coolbox hosting services, both in Bulgaria.
“That ip is a VM host,” Romero tweeted.
“Feels like a launch pad to me. To reformat a sql cluster (whaa?), and hit off-site NL hosted vms at the same time seems pretty nefarious to me.”
He went on to say that the attacker used multiple means of access onto the VFEmail infrastructure and as a result, it wasn’t clear two-factor authentication would have stopped the intrusion.
“2FA only works if the access method was via authentication, as opposed to exploit,” he explained.
“At least 3 different methods had to be used to get into everything.”
* Dan Goodin is Security Editor at Ars Technica and can be contacted @dangoodin001.
This article first appeared at arstechnica.com
