Key Lessons from the VFEmail Incident for Businesses

Key Lessons from the VFEmail Incident for Businesses

Today, the VFEmail incident dominates the cybersecurity discourse, adding a new layer of worry to an already anxious professional field.

The VFEmail incident concerns the titular email provider; they suffered what experts and insiders describe as catastrophic data destruction at the hands of external threat actor. According to KrebsonSecurity, the attacker destroyed all of the provider’s primary and backup data. The attacker and their motives remain unknown at time of writing.

VFEmail released a statement via Twitter. “At this time, the attacker has formatted all the disks on every server. Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

KrebsonSecurity reports VFEmail owner Rick Romero retrieved backup data for the Netherlands, but believes U.S. users’ mail remains lost.

What Enterprises Can Learn from the VFEmail Incident

This incident could prove devastating for VFEmail both in the short and long term; this case demonstrates the absolute worst case scenario for enterprises of all sizes. The breach remains too recent to determine the full extent of the damage to VFEmail’s reputation and bottom line; however, it seems likely to be quite extensive.

The VFEmail incident illustrates the importance of privileged access management for enterprises. No intruder should have acquired the permissions to delete the entirety of data for the servers; in fact, no privileged user should have had permissions to simply delete the entirety of an enterprises’ data. A privileged access management solution would have alerted their IT security team about this potentially dangerous access and helped them to curtail it to avoid such data destruction.

Additionally, while we cannot speculate on the authentication methods used to protect the email provider’s servers, multifactor authentication would have helped prevent an external threat actor from penetrating so far into the network. A privileged access management solution would have helped to install multifactor authentication, especially on key databases.

Moreover, a PAM solution could have allowed VFEmail to install granular authentication protocols—authentication which scales with the sensitivity of the access request and the data protected. This could have deterred the intruder and provided sufficient time for the internal security team to detect the threat.

Finally, privileged identity solutions allow for the monitoring of user behavior connected to privileged accounts. If a super-user begins to act suspiciously while making sensitive access requests, PAM could send a security alert and work with other applications to prevent further access until the activities’ legitimacy could be determined.    

Experts Weigh in on the VFEmail Incident

We consulted with identity security and cybersecurity experts for their take on the VFEmail incident. Here’s what they recommend for your enterprise:  

Fausto Oliveira, Principal Security Architect at Acceptto:

“This attack left VFEmail, and some of their customers, without access to their information. This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers. If they had a strategy in place, they should be able to recover at least a substantial part of their customers’ data.”

“The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way. Critical systems, such as these that host customer data, must be protected with enhanced security and all operations must be protected using intelligent Multi-Factor Authentication solutions. If those controls were in place, an operation that deviates from trusted behavior would have raised the friction towards the attackers and provide immutable logs showing that the attack was in progress, allowing VFEmail to react quickly and potentially stop the breach before data was destroyed.”

Chris Morales, Head of Security Analytics at Vectra:

“This kind of destructive attack, with no stated motive or demands, is quite rare. An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea.”

“The first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data.”

“Offline backup is the same strategy organizations are using to counter loss from ransomware.”

Praveen Jain, Chief Technology Officer at Cavirin:

“Given the types of increasingly common attacks, sometimes without any obvious motive, it is imperative that organizations take all possible precautions to ensure their cyber posture.  This includes air-gapped backups and better training of employees so they don’t become an attack vector.”

“In the case of VFEmail, for better or for worse, we may see some of the same user behavior changes as with lesser-known cloud providers that have had breaches, where they migrate to the Tier-1 providers for perceived safety.”

Terence Jackson, Chief Information Security Officer at Thycotic:

“This type of attack highlights the significance of having, updating and testing your disaster recovery/business continuity plans frequently and using an established Privileged Access Management solution.”

“The about page on the website shows a network diagram that includes an offsite backup server attached to the public internet. At this point, I believe we still have more questions than answers.”

“However, I do believe that the owner gave us a nugget as to how the compromise occurred. Rick Romero stated ‘This was more than a multi-password via ssh exploit.’ So, was this simply a Brute Force attack? Credential Stuffing?  Based on his statement, perhaps. Nevertheless, there are some good best practice takeaways from this incident:

  1.            Develop and test your Disaster Recovery Plan.
  2.            Don’t store production and backup data together..
  3.            Have online and offline backups.
  4.            Use Privilege Access Management solutions to automatically rotate your passwords and ssh keys.
  5.            Patch, Patch, Patch.” 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner