BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)

["Glen A. Pearce" <nanog () ve4 ca>]

Hi All:

I received an E-mail with an attachment claiming something
on my network is infected and that I should look at the
attachment to find out what.

Normally I think everything with an attachment is phishing
to get me to run malware but:

#1: The sites linked to in it seem to be legit German
    government websites based on Wikipedia entries that
    haven't changed in several years.
    (Looked at archive.org)
#2: The attachment is a .txt file which I've normally
    assumed to be safe.
#3: None of the usual dead giveaways that most phishing
    E-mails have.

If it is a phishing E-mail it has got to be the cleverest
one I've ever seen, though someone would try to be cleaver
considering the target would be holders of IP blocks.

I right clicked and checked properties to make sure the
attached ip_addresses.txt file really is a text file and
not some fancy trickery with reverse direction characters
( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU )

I tried poking around to see if there was some vulnerability
in notepad (or some versions of it) that I didn't know about
and only found a vulnerability in the text editor on Macs
but nothing with Windows Notepad.

The other thing I felt was a bit off is that the originating
mail server is in Deutsche Telekom AG space and not IP Space
registered to the German government.  I'm thinking someone
could rent some IP space from Deutsche Telekom AG with a
connection to them in a data center and get the DNS delegated
to them so they could set the reverse DNS to whatever they want.
A lot of effort to try to look legit by coming out of Germany
and having a government domain in the reverse DNS to look like
a plausible legit outsourcing but again Network operators are
the target audience so the normal tricks that work on the
general public won't work with this group so I can see someone
going that far.

I'll attach the E-mail below with all headers.  Has anyone
else gotten these?  Is there some security risk opening it
in Windows Notepad that I don't know about or is it actually
safe to open this?


Return-Path: <abuse () cyber bka de>
Delivered-To: [REDACTED]
Received: from ezp08-pco.easydns.vpn ([10.5.10.148])
    by ezb03-pco.easydns.vpn with LMTP
    id oCfeBO/yEmTokhgAzaFxkQ
    (envelope-from <abuse () cyber bka de>)
    for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000
Received: from smtp.easymail.ca ([127.0.0.1])
    by ezp08-pco.easydns.vpn with LMTP
    id WCB5BO/yEmSHdgEABcrfzg
    (envelope-from <abuse () cyber bka de>); Thu, 16 Mar 2023 10:43:59 +0000
Received: from localhost (localhost [127.0.0.1])
    by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF
    for <arin () ve4 ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn
X-Spam-Flag: NO
X-Spam-Score: 0.075
X-Spam-Level:
X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9,
    DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
    SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from smtp.easymail.ca ([127.0.0.1])
    by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 
10024)
    with ESMTP id d0XbPteZN-Io for <arin () ve4 ca>;
    Thu, 16 Mar 2023 10:43:55 +0000 (UTC)
Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22])
    by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC
    for <arin () ve4 ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC)
Date: Thu, 16 Mar 2023 10:43:53 +0000
To: arin () ve4 ca
From: BKA Wiesbaden - Abteilung Cybercrime <abuse () cyber bka de>
Reply-To: BKA Wiesbaden - Abteilung Cybercrime <abuse () cyber bka de>
Subject: Information regarding possible infection with malware
Message-ID: 
<M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA () emailapi apps cc bka>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA"
Content-Transfer-Encoding: 8bit

Dear Sir or Madam,

As part of criminal proceedings, the German Federal Criminal Police 
Office (Bundeskriminalamt) has been
informed about public IP addresses and timestamps which indicate a 
potential infection by the malicious
software "Bumblebee" of one or more systems behind the respective public 
IP address.

Within this letter, the BKA is providing you with the data of the 
respective IP addresses which have been
assigned to you as the appropriate provider. You are asked to take 
appropriate measures to inform your
customers about the potential infection.

The following information will be provided:

1. Public IP address
2. Last known timestamp of contact by the public IP address
3. Possible system name or username on the potentially infected system

The following information may be sent to your customers in addition to 
the message of concern.

What should you do now?

1. Don’t panic!
2. Check your systems/networks for possible infections. If other 
institutions have already made you aware
of infected systems recently, follow the action guidelines which you may 
have received from them.
3. For further information on cleaning up infections, please visit the 
English website of the Federal Office
for Information Security (BSI):

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Infizierte-Systeme-bereinigen/infizierte-systeme-bereinigen_node.html

Yours sincerely,

Bundeskriminalamt Wiesbaden

--
Glen A. Pearce
gap () ve4 ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17