-
An individual who sells items on the Darknet claims to have gained access to GlobalProtect VPN of an Australian manufacturing firm, which earns revenue of over $170 million per year.
-
VPN access to corporations is an attractive commodity for underground economies, as initial access brokers will sell VPN credentials to other cybercriminals including ransomware gangs and other actors.
-
There is no verification of these claims yet, and the company’s name is still unknown – so there is no confirmation that there was a breach or any incident of unauthorized use of a company’s network.
A threat actor claims to have VPN access to an Australian manufacturing company and is now selling it on the dark web. The seller claims the business pulls in over $170 million each year.
According to the dark web listing, the hacker has compromised the company’s GlobalProtect VPN system – this kind of VPN lets employees reach internal systems and remote-access tools from outside the office. The hacker is offering access as a one-time sale and accepts cryptocurrency as payment.
At the time of writing, the identity of the organization is not known. While the dark web post does not identify the manufacturer’s name or location and does not provide any specifics regarding the company’s operations.
Also, security researchers have not confirmed the claims; however, the details surrounding the hacker’s offering are concerning enough to attract close scrutiny from manufacturers in Australia.
How cybercriminals target corporate VPNs
VPNs create a secure connection to an organization’s network, thus can be a key point for cybercriminals to attack. If an attacker compromises a VPN to obtain access, they would be able to move around freely within the organization’s systems. The additional severity is where the attacker steals sensitive data, deploys ransomware or commits espionage that could result in millions of dollars in losses.
GlobalProtect is one of the most common VPNs and is a product of Palo Alto Networks. Many organizations utilize GlobalProtect to permit employees to connect to the organization’s network remotely from anywhere.
If an attacker is able to obtain valid user credentials or exploit a vulnerability in an organization’s software, the damages could be great. Cybercriminals will routinely scan for exposed VPN portals and also look for vulnerabilities to exploit.
Hackers can gain VPN access through a number of different avenues. The threat is global, in the United States, a cyberattack on the Government Publishing Office allegedly resulted in employee data being stolen and offered for sale on dark web markets.
Cybercriminals may purchase stolen user credentials from other criminal hackers or exploit a known vulnerability in a VPN solution that has not been upgraded.
Also, cybercriminals use phishing schemes to deceive users into revealing their login credentials. After gaining access to the organization via the use of a VPN, cybercriminals will oftentimes spend several days or weeks exploring the organization’s network before executing any malicious activity.
They will identify and catalog valuable and sensitive data, create a map of the organization’s security defenses, and devise a plan for future criminal activity. This patient approach makes them harder to detect and stop. Many companies only discover breaches months after they occur. By then, the damage is already done.
The growing market for stolen corporate access
Corporate access has become a valuable commodity on underground markets. Cybercriminals who successfully breach company networks often sell that access to other criminals, this creates a marketplace where different hackers specialize in different stages of an attack. The ecosystem has grown increasingly organized and professional.
The price of corporate access varies based on several factors. Larger companies with higher revenues typically command higher prices. The type of access also matters, administrative credentials are worth more than standard user accounts. The seller’s claimed $170 million revenue suggests this Australian manufacturer would be a high-value target for ransomware groups.
The brokers that provide initial access are an important part of the cybercrime landscape. These cybercriminals focus on breaking into companies’ networks, and selling the access they obtained, typically, to ransomware groups or other cybercriminal organizations, as an independent contractor for hire based on the price they offer. Some brokers have established reputations on dark web forums, with complete customer ratings and reviews.
The Australian manufacturing industry is a common target for cybercriminals due to the fact that most manufacturing companies frequently rely on industrial control systems that can break down physically if compromised and infiltrated successfully.
The impact of gaining access to a company’s network may result in the loss of data as well as the shutdown of production, causing significant financial loss. In the past few years, many Australian manufacturing companies have suffered huge losses and other damages due to ransomware attacks.
How companies can protect their VPNs
Businesses can undertake a number of measures to ensure their remote-access capabilities are adequately protected. Using multi-factor authentication for all users connecting to a VPN provides a key layer of defense against unauthorized access to a company’s network.
Even if attackers succeed in stealing valid usernames and passwords from users via phishing, they will not be able to connect to the network unless they also have the second authentication factor. This one action will block most credential-based attacks.
Organizations should actively monitor their login activity and be on the lookout for signs that connectivity processes may have suffered a compromise. Login activity that occurs at unusual times, multiple failed authentication attempts or that originate from unexpected sources or locations, may indicate compromised accounts and allow organizations the opportunity to react prior to the perpetrator inflicting serious harm to their system. Also, an organization can utilize automated tools to assist in detecting such patterns early and effectively.
Updating VPN applications and devices will help patch known vulnerabilities that hackers may take advantage of, specifically, hackers often target organizations that rely on systems that are yet to install or apply current security patches.
Regularly conducting vulnerability assessments will allow organizations to proactively identify existing vulnerabilities prior to a hacker compromising them. Organizations should also audit and lock down, if applicable, VPN portals where access is no longer necessary.
The dark web post did not specify how the seller obtained the VPN access. The claims will be exaggerated or entirely fabricated; however, it serves as a reminder for Australian manufacturers to review their security postures.
