In the interview, Diachenko put it more succinctly. “The scale is the sophistication,” he said.
The scale shows dedication (and deep pockets). The methods used - apart from the recursive dictionary attacks - were pretty mundane, as far as the report goes.
They then used a custom binary with 25,000 threads to spray hundreds of thousands of those endpoints with thousands of login and password combinations. Successful attempts now gave the attackers a “network tap inside the organization.”
Shouldn’t these fairly unsophisticated “spray-and-pray” brute force attempts show up in logs and at least alert security personnel that an active attack was underway?
the attackers went on to “actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis.” From there, they used the GPU cluster to crack the hashes, meaning to try massive combinations of plain-text passwords until they found the right one.
Again, not particularly sophisticated, but supported by heavy machinery to burn energy and money to do the actual work. Again, I ask: shouldn’t these types of attempts be mitigated by sufficiently long hashes? Even a 45-GPU cluster can be exhausted by hash length, can’t it?
Especially for a company that specialises in cybersecurity, yikes.
Oh they absolutely show up in logs. And if they’re half competent, this also would cause MFA prompts to users… And lockouts… So IT tickets too.
Yet…
There’s often no MFA configured for infrastructure because teams don’t want to bother and think their own stuff is secure.
What it should definitely cause is SIEM alerts.
*crickets*
How many firewall hardware manufacturers have had these kinds of vulnerabilities? Feels like a couple times a year I hear about another one.
Ugh, my work domain is on here… but its showing an unknown IP as the url for access so maybe not lol?
Fortinet at it again.
This is dumb orgs and admins
Including Fortinet itself evidently.
