Psychz Compromised

Received a virus from them today via email. If you have an account with them, make sure you’re not using the same password elsewhere.

Email: PrivateBin

2021-05-31 10:45:28 1lnfQ7-00014E-VF <= support@psychz.net H=mail.psychz.net (psychz.net) [216.99.144.35] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=950905 DKIM=psychz.net id=20210531034513.8EF92D24E7EAF89D@psychz.net T="SERVER TERMINATION" from <support@psychz.net> for jarland@mxroute.com

jarlanddonnell@Jarlands-MacBook-Pro ~ % dig MX psychz.net +short
0 mail.psychz.net.

jarlanddonnell@Jarlands-MacBook-Pro ~ % host 216.99.144.35
35.144.99.216.in-addr.arpa domain name pointer mail.psychz.net.

jarlanddonnell@Jarlands-MacBook-Pro ~ % host mail.psychz.net
mail.psychz.net has address 216.99.144.35

Attachment: VirusTotal

It’s legit from their mail server. Every MXroute customer that received it looks like someone who could have been a customer.

2 Likes

Official response:

Hi All -

We’re still investigating the situation and will know more about the extent of the damage once we conduct a full investigation with our vendors.

At the moment we can see the what is compromised is what ever the entry level tech had access to. Essentially his workstation was compromised with a virus thus giving the hacker access to our portal system. They then used his personal email account to send emails out to those seen above.

This is one of the challenges with the pandemic when techs are working from home instead of the office. Policies were in place to prevent this such as running Ubuntu or self wipe system when working on windows system. Unfortunately that was not followed thus we need to re-visit the policies internally for all employees.

From what we can see so far is 5% of our of our clients were emailed the email seen above. Right now we have shutdown his workstation and doing a full forensics on his machine.

We’re sending emails to those that were sent an email to ensure they did not open the attachment.

In terms of billing information being compromised those are highly unlikely.

  1. Our database server is locked down and show no evidence of entry or downloads.
  2. Server credentials are required to be changed at the first provision of server. (Thus server compromised / data are highly unlikely)
  3. Router/Switches are not provided to entry level techs
  4. IPMI/Router/Switches are all private networks there is no way to connect it via entry points

Right now the concern is to those who receive those emails and not to open them. While we conduct further investigation we’ll know the extent of the damage.

Those that were sent the email and have concerns please reach out to our support team or DM me and we’ll do the best we can to assist.

2 Likes