Skip to main content

Command Palette

Search for a command to run...

TA 'faheem' Offers Unauthorized VPN Access to Multiple US-based Organizations

Published
4 min readView as Markdown
TA 'faheem' Offers Unauthorized VPN Access to Multiple US-based Organizations
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

On February 16, 2025, CRIL’s source received information that the threat actor (TA) kyla (aka faheem) active on the Russian cybercrime forums, XSS and Exploit, advertised unauthorized access via VPN to multiple organizations based out of United States.

The following advisory provides an overview of the threat activity, and an analysis of the information shared by the source to evaluate their claims and potential impact on the targeted organizations.

Information form Source

The TA allegedly obtained unauthorized access to three organizations and our source received a few ZoomInfo business profiles of the targeted organizations. The details are as following:

OrganizationSectorCountryAccess TypePrivilege
Bryson Financial GroupBFSIUnited StatesVPNDomain User
Beach Lunch Lounge ( Last Sportswear, Inc.)RetailUnited StatesVPNDomain User
The Marseille Developmental Biology Institute (IBDM)Professional ServicesFranceSonicWall VPNDomain Admin

To corroborate their claims the TA shared multiple screenshots suggesting their access to a compromised system belonging to IBDM. The TA claimed that the compromised Windows machine stores over than 250 TB of data pertaining to documentation and project data.

The screenshots (figure 1) shared by the TA was apparently captured from a window from ‘FreeRDP’ a free and open-source implementation of the Remote Desktop Protocol (RDP).

The Threat Actor (TA) agreed to provide test access via MeshCentral, a free web-based software that enables remote control of computers over the internet. According to the TA, the network hosting the system contains 1,042 active hosts (figure 2).

Overview of the Actor’s Forum Activities

Threat Actor (TA) kyla has been a member of the Russian language cybercrime forum XSS. Joined on Oct 29, 2024, The TA has made a total of 8 posts related to malware development, or selling unauthorized access. The TA did not have any reputation score on the forum. The TA has 0.0436 Bitcoin (Approx USD 4202.56) in the forums deposit.

Threat Actor is also active on the Russian language cybercrime forum Exploit (TA) as faheem. Joined on July 19, 2024, The TA has made a total of 25 posts all related to selling unauthorized access. The TA has a positive reputation score (+2) on the forum awarded by the forum’s guarantors service and from a reputed seller for conducting successful transaction.

Assessment of the Actor & Information

Based on the activities of the threat actor on the forum, we assess the reliability of the threat actor as B - Usually reliable.

Based on overall analysis of the information on the incident and proof of compromise suggesting impact on the mentioned organization, we assess the credibility of their overall claims as 2 - Probably true.

"Assessment of the source/threat actor & information" - NATO's Admiralty Code

This section includes our researchers/analysts' assessment based on NATO's admiralty code rating system. This rating system provides our researchers with a standard method to assess the reliability of the Source or Threat Actor/group being covered in cybercrime advisory, the credibility of actor's claims or information derived from our sources.

The following table is referenced by researchers while assigning the ratings:

Reliability of Source/Threat Actor

Credibility of Information/Threat Actor's claims

A - Completely reliable

1 - Confirmed by other sources

B - Usually reliable

2 - Probably true

C - Fairly reliable

3 - Possibly true

D - Not usually reliable

4 - Doubtful

E - Unreliable

5 - Improbable

F - Reliability cannot be judged

6 - Truth cannot be judged

The above assessment ratings will be assigned based on the parameters described by NATO's admiralty code rating system as follows:

"Reliability of Source/Threat Actor"

A - Completely reliable: No doubt of authenticity, trustworthiness, or competency; has a history of complete reliability

B - Usually reliable: Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information/claim most of the time

C - Fairly reliable: Doubt of authenticity, trustworthiness, or competency but has provided valid information/claim in the past

D - Not usually reliable: Significant doubt about authenticity, trustworthiness, or competency but has provided valid information/claim in the past

E - Unreliable: Lacking in authenticity, trustworthiness, and competency; history of invalid information/claim

F - Reliability cannot be judged: No basis exists for evaluating the reliability of the source/actor

"Credibility of information/Threat Actor's claims"

1 - Confirmed by other sources: Confirmed by other independent sources; logical in itself; Consistent with other information/claim on the subject

2 - Probably True: Not confirmed; logical in itself; consistent with other information/claim on the subject

3 - Possibly True: Not confirmed; reasonably logical in itself; agrees with some other information/claim on the subject

4 - Doubtful: Not confirmed; possible but not logical; no other information/claim on the subject

5 - Improbable: Not confirmed; not logical in itself; contradicted by other information/claim on the subject

6 - Truth cannot be judged: No basis exists for evaluating the validity of the information/claim

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com