BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German government websites based on Wikipedia entries that haven't changed in several years. (Looked at archive.org) #2: The attachment is a .txt file which I've normally assumed to be safe. #3: None of the usual dead giveaways that most phishing E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government. I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers. Has anyone else gotten these? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: <abuse@cyber.bka.de> Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) by ezb03-pco.easydns.vpn with LMTP id oCfeBO/yEmTokhgAzaFxkQ (envelope-from <abuse@cyber.bka.de>) for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) by ezp08-pco.easydns.vpn with LMTP id WCB5BO/yEmSHdgEABcrfzg (envelope-from <abuse@cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0XbPteZN-Io for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin@ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Reply-To: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Subject: Information regarding possible infection with malware Message-ID: <M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA@emailapi.apps.cc.bka> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don’t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informati... Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
It appears legit. BKA.DE is the German Bundeskriminalamt (Federal Police) And the PTR records, SPF etc check out for the domain. Might as well check the IP in question for malware if they’ve provided date / timestamps and such --srs From: NANOG <nanog-bounces+ops.lists=gmail.com@nanog.org> on behalf of Glen A. Pearce <nanog@ve4.ca> Date: Monday, 3 April 2023 at 12:29 PM To: nanog@nanog.org <nanog@nanog.org> Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German government websites based on Wikipedia entries that haven't changed in several years. (Looked at archive.org) #2: The attachment is a .txt file which I've normally assumed to be safe. #3: None of the usual dead giveaways that most phishing E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government. I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers. Has anyone else gotten these? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: <abuse@cyber.bka.de> Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) by ezb03-pco.easydns.vpn with LMTP id oCfeBO/yEmTokhgAzaFxkQ (envelope-from <abuse@cyber.bka.de>) for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) by ezp08-pco.easydns.vpn with LMTP id WCB5BO/yEmSHdgEABcrfzg (envelope-from <abuse@cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0XbPteZN-Io for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin@ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Reply-To: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Subject: Information regarding possible infection with malware Message-ID: <M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA@emailapi.apps.cc.bka> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don’t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informati... Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
Any security “authority” that sends a warning email that requires opening _any_ attachment doesn’t deserve to be taken seriously. This include the MPAA et al. Also, if they don’t send it to your registered abuse email, into the trash it should go without a glance. -mel beckman On Apr 3, 2023, at 4:37 AM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: It appears legit. BKA.DE is the German Bundeskriminalamt (Federal Police) And the PTR records, SPF etc check out for the domain. Might as well check the IP in question for malware if they’ve provided date / timestamps and such --srs From: NANOG <nanog-bounces+ops.lists=gmail.com@nanog.org> on behalf of Glen A. Pearce <nanog@ve4.ca> Date: Monday, 3 April 2023 at 12:29 PM To: nanog@nanog.org <nanog@nanog.org> Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German government websites based on Wikipedia entries that haven't changed in several years. (Looked at archive.org) #2: The attachment is a .txt file which I've normally assumed to be safe. #3: None of the usual dead giveaways that most phishing E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government. I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers. Has anyone else gotten these? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: <abuse@cyber.bka.de> Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) by ezb03-pco.easydns.vpn with LMTP id oCfeBO/yEmTokhgAzaFxkQ (envelope-from <abuse@cyber.bka.de>) for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) by ezp08-pco.easydns.vpn with LMTP id WCB5BO/yEmSHdgEABcrfzg (envelope-from <abuse@cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0XbPteZN-Io for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin@ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Reply-To: BKA Wiesbaden - Abteilung Cybercrime <abuse@cyber.bka.de> Subject: Information regarding possible infection with malware Message-ID: <M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA@emailapi.apps.cc.bka> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don’t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informati... Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
Looks like scam to me, we are based in Germany and from time to time we are getting requests from BKA, all mails were originated from "*@bka.bund.de", never heard about ths "cyber.bka.de" Domain. Also I would expect something more like a specific criminal investigation from the BKA instead of the usual "we found suspicious ip addresses" announcement like Shadowserver is offering. Governmental services within DTAG (AS3320) ip space is pretty common in Germany. HTH, Stefan -- Stefan Giera, BelWü (AS553) BelWü-Koordination, Universität Stuttgart Industriestr. 28, 70565 Stuttgart Tel: +49 711/685-65797 | Durchwahl Tel: +49 711/685-88030 | NOC, Netzbetrieb, Router Tel: +49 711/685-88020 | (Schul)Hotline Fax: +49 711/678 83 63 E-Mail: ip@belwue.de - http://www.belwue.de
Well, I eventually had a friend open the attachment on his Linux machine and once he confirmed it was safe to open and found there was nothing in it other than the list of IP addresses, user names and time stamps but there were a whole bunch of addresses listed I opened the attachment in Notepad. All 43 IP addresses listed turned out to not be ones that are not and have not been in use the entire time I've had the IP block. So it's still mysterious why someone would have sent this as it appears to not be malware but it's entirely junk information, so no reason to explain why either the German Police or a scammer would have sent it. Maybe the German Police used to have a server at that address for some purpose and neglected to turn off the forward DNS when it was decommissioned and Deutsche Telekom AG didn't remove the old reverse DNS when they re-assigned the space to a new customer and that new customer stood up a mail server to sent these. Though for what purpose I'm unsure. It's as odd as the (automatically generated) abuse E-mail I recently got from a Spanish ISP (Comvive Servidores SL) claiming to have received a network attack from an address that is also not in use. (Which was one of the ones listed in this E-mail.) Thanks to everyone that did reply with their input. -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
* nanog@ve4.ca (Glen A. Pearce) [Mon 24 Apr 2023, 17:42 CEST]:
Well, I eventually had a friend open the attachment on his Linux machine
Not necessarily a safe idea: https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-la... (scroll down to "Operation DreamJob with a Linux payload", sadly no anchors) -- Niels.
On 4/24/23 9:24 AM, Niels Bakker wrote:
* nanog@ve4.ca (Glen A. Pearce) [Mon 24 Apr 2023, 17:42 CEST]:
Well, I eventually had a friend open the attachment on his Linux machine
Not necessarily a safe idea: https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-la... (scroll down to "Operation DreamJob with a Linux payload", sadly no anchors)
The key security concern here is "don't inspect/interpret bytes in an attachment with an application of the attacker's choosing". cat, or even emacs, seem pretty safe. For me, that's easiest to do with Linux or MacOS (terminal). But sure, if "open on a Linux machine" still means "point and click", then you're absolutely correct. Jim Shankland
On 24/04/2023 10:24 a.m., Niels Bakker wrote:
* nanog@ve4.ca (Glen A. Pearce) [Mon 24 Apr 2023, 17:42 CEST]:
Well, I eventually had a friend open the attachment on his Linux machine
Not necessarily a safe idea: https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-la... (scroll down to "Operation DreamJob with a Linux payload", sadly no anchors)
-- Niels.
Thanks for the heads up on that. My situation (in this one case) was a little different from the example in the article you sent as I had already verified it was a text file (and not another type masquerading as a text file with funny characters). I was just concerned because I was wondering if someone had found a way to compromise Windows Notepad (or at least some versions of it because Microsoft likes to keep changing things). I still kinda wonder now if there is some vulnerability in Microsoft Notepad somewhere because of a "feature" someone decided to add along the way that nobody needed and almost nobody known about.... The link you included might still save someone a lot of headaches one day. I checked with my friend, what he did was use Linux on a virtual machine with a static hard drive then started "Nano" at the command line and used that to open the file I sent him. He's a lot more expert than me so I tend to trust that he knows what he's doing even if he doesn't fill me in on all the details. I guess in this case he figured he didn't need to fill me in on them until I asked. Though I did pass on the article you sent in case it's relevant to something he encounters in the future. -- Glen A. Pearce gap@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17
participants (7)
-
Bjoern Franke
-
Glen A. Pearce
-
Jim Shankland
-
Mel Beckman
-
Niels Bakker
-
Stefan Giera
-
Suresh Ramasubramanian