Virtual Private Networks (VPNs) have become an important technology, used by individuals and enterprises alike, to keep traffic secure as it is transmitted across the open internet, and to protect the information and privacy of users. Since the beginning of Covid-19, which led to the need to be able to access company networks remotely, VPN usage has skyrocketed. The increased reliance on VPNs made the latter an attractive target to cybercriminals seeking to capitalise on the swift changes brought by the pandemic. In particular, threat actors began exploiting one of the known weakest links in the chain: users’ passwords. By purchasing or compromising users’ VPN credentials, hackers have the tools to easily unlock secure private connections, and gain access to the private networks of both individuals and enterprises.
US colleges and universities at risk
In May 2022, the FBI issued a warning to alert that hackers had been found offering for sale VPN and network credentials of US-based colleges and universities, on different online underground forums and criminal marketplaces. It is unclear how cybercriminals were able to harvest these credentials, but the techniques used typically include spear-phishing attacks, ransomware attacks, and data breaches. The first noticeable case of compromised university and college VPN credentials being offered for sale, was discovered in January 2022. Hackers were observed selling the credentials on a number of Russian cybercriminal forums, with prices ranging from a few to multiple thousand dollars.
The exposure of these VPN credentials and network access information presents many risks to the colleges and universities involved, as cybercriminals can now use the compromised credentials to easily gain access to previously secure networks. Once they gain access to these networks, threat actors can use techniques to escalate privileges and exfiltrate sensitive data, perform ransomware attacks, and inject malware. In order to mitigate these threats, the FBI urged academic entities to ensure that the operating system and software they use is up to date, and suggested to implement network segmentation to prevent threat actors from moving across the network. The FBI also recommended to always use multi-factor authentication in order to offer a higher degree of security to accounts, and highlighted the importance of raising awareness about phishing attacks among the students, faculty and staff.
Compromised VPN credentials: not a new trend
The infamous attack on the Colonial Pipeline in April 2021 was perpetrated through the compromised credentials of one of the enterprise's VPN accounts. The attack resulted in the shutdown of the 5,500-mile natural gas pipeline for 5 days, and led to consequent gas shortages across some areas in the US. DarskSide, the hacker group responsible for the attack, gained access to the Colonial Pipeline’s corporate network by using a compromised password of a VPN account that was no longer in use, and that was not secured by multi-factor authentication. Upon investigation, the password was found in a list of leaked passwords available on the dark web, which suggest that the employee may have used the same password on a different account.
In September 2021, a threat actor going by the moniker ‘Orange’ leaked for free a list of almost 500,000 Fortinet VPN credentials. The threat actor was able to exploit a previously known vulnerability in Fortinet VPN, that had not been patched yet. The link to access the file containing the compromised login names and passwords was posted on a newly launched hacking forum, of which ‘Orange’ seems to be the creator, and on the data leak site of the ransomware group Groove. According to experts, the breach list contained credentials that could give hackers access to top companies, therefore representing a high security risk.
T-Mobile was also the target of a series of data breaches in March 2022, by the hands of the cybercrime group Lapsus$. The threat group was able to gain access to Atlas, one of T-Mobile’s tools to manage customer accounts, by using credentials of the company’s VPN that the cybercriminals had purchased on the dark web. Leaked chat messages between members of the Lapsus$ group, show that the gang was deciding whether to exploit the credentials to gain access to T-Mobile tools that would allow them to carry out SIM swap attacks, or use the credentials to access and download T-Mobile source code. The gang settled on downloading over 30,000 source code repositories from the company.
What are the risks?
VPN credentials are the key to accessing secure private connections. When these credentials are exposed, hackers can gain access to personal networks and to companies’ entire internal networks. Not only can hackers compromise VPN networks, but they might also be able to compromise other accounts for different services and platforms, if users have re-used the same password. As VPN credentials have become a valuable commodity on the dark web and on cybercriminal forums, even inexperienced hackers can now purchase credentials that will give them the key to swiftly access otherwise secure networks. This is especially the case, as many enterprises still fail to enforce the use of multi-factor authentication or of One Time Passwords to access accounts. When VPN accounts are hacked, companies can suffer from sensitive data leaks, operational disruptions, reputational damage, and financial losses. For individuals using VPN for personal purposes, compromised credentials can lead to device takeover through spyware and ransomware, and can allow hackers to eavesdrop on the connection, view the data traffic, and compromise personal and sensitive information.
What can White Blue Ocean do
Having compromised VPN credentials circulating on online criminal forums and on the dark web can therefore present a high security risk to both individuals and enterprises, especially if users are not aware that their information has been leaked. White Blue Ocean helps users feel safe, by managing their digital security. Through a wide range of web monitoring solutions, the White Blue Ocean team can alert personal and business customers when their information is found circulating on the dark web and the open web, including online criminal forums and social media platforms. This allows customers to always be aware of the risks they could face, by understanding which of their personal and sensitive information has been stolen or compromised, and by understanding how cybercriminals could use this information for malicious activity. White Blue Ocean protects customers from fraud and identity theft by sending alerts when their information is found, and by offering advice to help customers navigate the risks presented by the exposure of their personal data.
The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.
The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.
Amid Russia’s invasion of Ukraine, there have been several warnings on spikes in fraudulent activity carried out by criminals seeking to capitalise on the Ukrainian humanitarian crisis. Numerous reports from across the world show that fraudster are currently tricking people into making donations to fake charities, in order to then pocket the money that was meant to help Ukrainian refugees. It is thought that the amount of money siphoned by fraudsters since the beginning of Russia’s invasion could be of millions of dollars.Read more
In a continuous effort to find new techniques to extort money from targets, cybercriminals have conceived a new and more aggressive version of the popularised Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. This type of attack, named Ransom Denial of Service (RDoS), first appeared in 2016, but made a comeback in 2020 and 2021, taking advantage of the ever-increasing number of interconnected devices, and of the remote working arrangements caused by Covid-19.Read more
In the cybercriminal business model, initial access brokers have become a crucial figure, acting as middle-men between attackers and victims, by providing the attackers with access methods to enter victims’ networks.Read more
The number of data breaches affecting companies in different sectors across the world keeps rising in 2022, following the trend witnessed in the last few years. Read more about five key data breaches that have occurred in 2022.Read more
In late July 2022, Twitter confirmed that it had suffered a data breach, after a threat actor appeared in a popular underground forum selling the data of 5.4 million Twitter users. Read moreRead more
Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!