Cyber Attack Exploits SSL VPNs: Significant Breaches Uncovered
Recent findings from Hudson Rock reveal that a sophisticated cyberattack has significantly compromised multiple organizations across several countries. The attackers employed advanced methods to intercept SSL VPN authentication hashes, utilizing a powerful 45-GPU cluster managed through Hashtopolis to crack these hashes. By leveraging this computational power, the hackers attempted numerous combinations of plaintext passwords until they successfully identified the correct ones. This enabled them to navigate laterally within networks, effectively compromising Active Directory environments and centralized authentication systems.
Hudson Rock further detailed the incident’s consequences, noting confirmed full network breaches at numerous entities in Japan, Taiwan, Vietnam, Iraq, and Turkey. Alarmingly, the group successfully exfiltrated classified documents from a Turkish NATO defense contractor. Researcher Diachenko emphasized the breadth and sophistication of the attack, succinctly stating, “The scale is the sophistication.”
The attack’s scale went beyond simple hash cracking. The hackers utilized an innovative, feedback-driven recursive system with twelve levels, processing password candidates through custom dictionaries and common keyboard patterns. This multifaceted approach allowed them to continuously refine their password guesses, adapting their tactics as they gained insights from previous attempts. Diachenko remarked on the attackers’ ingenuity, highlighting a stark contrast to their operational security, which evidently faltered as they left digital traces on the compromised server—an oversight often attributed to amateur practices in hacker circles.
Data from Hudson Rock indicates that the compromised devices predominantly resided in India, the United States, Taiwan, Mexico, Turkey, and Thailand. The most affected industries included IT services, construction materials, telecommunications, and financial services. High-profile organizations like Foxconn, Samsung, and Accenture found their data included in the breach database, alongside various government agencies and critical infrastructure providers, indicating a wide-ranging impact.
Firewalls, positioned at the perimeter of networks, have long been targeted by cybercriminals seeking access to valuable resources. The methods employed in this recent breach align with several tactics outlined in the MITRE ATT&CK framework. Initial access could have occurred through exploiting the SSL VPN vulnerabilities, allowing for persistence within the network. Privilege escalation appears to have been achieved as the attackers navigated through compromised Active Directory environments, thereby granting them deeper access to sensitive information.
As organizations grapple with these cybersecurity threats, it is imperative for Fortinet firewall users, in particular, to implement recommended security measures to safeguard their networks. Given the escalating sophistication of cyberattacks, the potential risks for businesses remain substantial, necessitating a vigilant and informed approach to cybersecurity.