Hudson Rock said the attackers went on to “actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis.” From there, they used the GPU cluster to crack the hashes, meaning to try massive combinations of plain-text passwords until they found the right one. These passwords allowed the threat actors to move laterally to compromise Active Directory environments and other centralized authentication systems.
“This aggressive methodology has led to severe, real-world consequences,” Hudson Rock said. “Diachenko’s research confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group.”
In the interview, Diachenko put it more succinctly. “The scale is the sophistication,” he said.
The scale didn’t stop there. The attackers used the massive cluster to run a” feedback-driven, 12-level recursive system.” In other words, there wasn’t a single flat dictionary run. Password candidates came from custom dictionaries with as many as eight words, common keyboard patterns, and cracking rules. Each one looped back with each step. When guesses were successful, the passwords were fed back as seeds to generate still more candidates. In other words, the cracking techniques improved with each successful guess.
“They were quite innovative on that,” the researcher said.
The innovation contrasts sharply with the operational security of the attackers, who left artifacts on the server they used. In hacker circles, such moves are considered amateur mistakes.
Hudson Rock said that the top countries where compromised devices were found were India, the US, Taiwan, Mexico, Turkey, and Thailand. The top industries affected were IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services. Other organizations whose data appeared in the database included: Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture. Hudson Rock said that the database listed thousands of others, including major government agencies and critical infrastructure providers.
Firewalls have long been a favorite network entry point for hackers. These devices accept connections from the outside Internet, sit at the perimeter of a network, and have access to valuable resources deep inside.
The links above list a number of steps Fortinet firewall users should take to ensure their networks are secure. Given that the data has been available to cybercriminals and potentially other threat actors who, like Diachenko, found it, the risk is substantial.
