The hacking of TU Eindhoven of Technology university began with the hacker acquiring VPN credentials for two university accounts, labeled LP1 and LP2. These credentials were likely obtained from a previous data breach or leak. Without any need for sophisticated tools or phishing campaigns, the attacker was able to initiate access into the university’s internal network simply by logging in through the university’s VPN gateway.
Escalation through poor domain controller practices
Once inside the network, the attacker exploited outdated and misconfigured authentication protocols, particularly NTLMv1. This protocol, when used with weak configurations (specifically a low LM compatibility level), opens the system to coercion attacks. Tools like Responder and CrackMapExec were employed to intercept and manipulate authentication requests, allowing the attacker to collect and later crack hashed credentials.
Achieved domain admin through credential abuse
The attacker managed to escalate privileges methodically: first cracking credentials for admin accounts like DC4 Pro, then using DCsync attacks to obtain hashes from the domain controller itself. This granted access to the highest-privilege account (HP1), which manages both the root domain and campus domain, essentially handing full control of the university’s digital infrastructure to the intruder.
Persistence methods and exploration tools
The attacker sought to maintain long-term access by installing remote desktop tools like TeamViewer and AnyDesk. They also created new privileged user accounts to survive account resets or access revocations. Simultaneously, they ran IP and network scanners to map the infrastructure, locate sensitive systems, and potentially expand the scope of the attack.
Detection triggered by suspicious tool usage
The university’s Endpoint Detection and Response (EDR) system flagged activity when the attacker used CrackMapExec. This anomaly prompted an immediate investigation and, by January 12, the IT team disconnected the entire network from the internet to contain the breach.
AltePossible ransomware intentions
The attackers attempted to stop the university’s VM backup services, which are crucial for data recovery. This aligns with behaviors typical of ransomware operators who aim to prevent victims from restoring clean backups. While no actual ransomware was deployed, the tactics suggest such intentions.
Incident response and recovery
The university implemented a structured response strategy:
- Containment: Disconnecting from the internet and terminating VPN sessions.
- Recovery: Resetting all passwords, isolating and rebuilding compromised systems.
- Protection: Installing EDR on all endpoints and removing remote access tools.
- Lessons Learned: Disabling NTLMv1 and reviewing domain controller configurations.
