Hudson Rock said the attackers “actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed through Hashtopolis.” From there, they used a GPU cluster to crack the hash, which means trying massive combinations of plain-text passwords until they find the correct password. These passwords allowed threat actors to move laterally to compromise the Active Directory environment and other centralized authentication systems.
“This aggressive practice has had serious, real-world consequences,” Hudson Rock said. “Diachenko’s research confirmed full network compromise in multiple organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey. Most worryingly, this included a Turkish NATO defense contractor, from where classified defense documents were successfully infiltrated by the group.”
Dyachenko put it more succinctly in the interview. “The scale is the sophistication,” he said.
The scale didn’t stop there. The attackers used the massive cluster to run a “feedback-driven, 12-level recursive system.” In other words, there was not a single flat dictionary run. Password candidates came from custom dictionaries with eight words, common keyboard patterns, and cracking rules. Everyone moved backwards with each step. When guesses were successful, the passwords were fed back as seeds to generate even more candidates. In other words, the cracking technique improved with each successful guess.
“They were quite innovative in this regard,” the researcher said.
This innovation is in stark contrast to the operational security of the attackers, who left artifacts on the servers they used. In hacker circles such moves are considered amateur mistakes.
Hudson Rock said the top countries where compromised devices were found were India, the US, Taiwan, Mexico, Turkey and Thailand. The top industries affected were IT services, building materials, telecommunications, construction and engineering, industrial equipment and financial services. Other organizations whose data appeared in the database include: Foxconn, Samsung, Comcast, Siemens, PwC and Accenture. Hudson Rock said the database lists thousands of others, including key government agencies and critical infrastructure providers.
Firewalls have long been the preferred network entry point for hackers. These devices accept connections to the external Internet, sit at the perimeter of the network, and have access to valuable resources inside.
The link above lists several steps that Fortinet Firewall users should take to ensure that their networks are secure. Given that the data is available to cybercriminals and potentially other threat actors who found it, like Dyachenko, the risk is substantial.
<a href