Already a number of customers and acquaintances of ours have asked do you know what exactly happened at the TU in Eindhoven? Reason enough to pull together some earlier news items and take you through these events.

On Sunday, Jan. 12, TU Eindhoven's (TU/e) network was hit by a hack. The university was forced to take its own network offline, resulting in a one-week recovery period. Although the perpetrators are still unknown, their modus operandi is now clear: stolen login credentials were obtained through infostealers. But how could such a thing happen?

TU/e is working with security firm Fox-IT to investigate the incident. According to De Volkskrant, the hackers entered via stolen login credentials, which also appeared in criminal data, including log data from infostealers. Other educational institutions have been notified, and Radboud University Nijmegen has already taken extra authentication measures to protect against cyber threats.

The early phase of the ‘killchain’

Hackers are constantly trying to penetrate networks through various digital backdoors. Zero-days (undiscovered vulnerabilities) and unpatched services are the most obvious routes. However, malicious actors prefer easy access via legitimate login credentials. This ‘front door’ to the network allows attackers to easily steal or encrypt data.

But how do hackers get these login credentials? Methods such as gambling and brute-forcing are often unreliable or too slow. A much easier way is to buy legitimate login credentials through the dark web. Websites like the Genesis Market, taken down in 2023, acted as a kind of all-in-one store for sensitive login credentials that hackers could buy. However, this is already a later stage in what Lockheed Martin calls the “Cyber Kill Chain”; something happened earlier to compromise the data.

How infostealers work

Infostealers target the beginning of this killchain and aim to steal sensitive data. This data can vary: some infostealers are only after credit card information, while others want to get browser history. In the case of TU Eindhoven, it may be a username and password. Sometimes more is needed and infostealers combine login information with other details such as phone number, e-mail address or home address.

This form of malware infiltrates users through familiar routes: phishing emails, malicious attachments or compromised Web sites. Security firm Packetlabs concludes that the best infostealers are modular in nature. They first scan the environment they enter, and later install specific payloads. This minimizes the malware's footprint, or in other words, there is as little evidence of its existence as possible. Ideally, the infostealer sends the smallest possible data packets over the network to a remote Command & Control (C2) server with as many valuable digital assets as possible.

According to Lockheed Martin's framework, even more work is required. Infostealers can establish themselves in a system without difficulty, but must also be able to covertly contact the servers of malicious actors. They count only as a first step in the killchain: backdoors, unpatched vulnerabilities and zero-days are a hacker's friend for further exploitation.

Infostealers are already well established in the Netherlands. More than 40,000 Dutch people, especially IT professionals, have been infected with them, according to research by RTL Nieuws. Among them could just be an employee of TU Eindhoven.

Targets

These 40,000 Dutch people are difficult to protect. Infostealers, like other malware, can reach victims in many ways. Their methods are highly varied, with varying consequences. For example, an infostealer can steal information via screen captures, keylogging, taking over a browser, dumping locally stored login credentials, stealing emails or monitoring the clipboard. In short, once an infostealer is installed, there are all sorts of ways in which data can be captured.

No user is safe, but the most valuable data to hackers is that of executives, IT professionals with many permissions in the network and servicing accounts. The latter category is often overlooked, resulting in detection not happening or coming too late. Infostealers also frequently target certain high-value sectors, such as banking or, in the case of TU/e, high-tech targets. The first prominent infostealer described as such was Zeus in 2007, which caused all sorts of incidents of fraud and botnets. Moreover, it could multiply and spread itself like a classic virus.

Awareness

This article shows that it is and remains important to be continuously engaged in Cybersecurity Awareness within your organization. Sharing these kinds of stories and giving examples can be an important first step. If you need help with this then of course we are happy to help. Super logical right?

Sources: Techzine and the Volkskrant
Image: Wikipedia