[draugadrotten]

The breach is still ongoing, according to statements on the dark web, 30 minutes ago (21:10 CET).

"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några sekunder sen i mappen /2019/."

Translates to: Do you think incompetence is over? No. They have not pulled out the cable. Run wireshark and send junk packets and you will see that the only thing that is filtered is syn-ack from the server. Sent random seq-no in response for an hour and finally made a connection. What do you think I see? Fresh calls from just a few seconds ago in the folder / 2019 /.

[z3t4]

How can you make a connection by guessing seq nr ? What is the firewall rule that allow such an attack ?

[brianpgordon]

My guess is that there were still some hosts allowed through the block (e.g. whatever is writing to that NAS), and that they were accessing the NAS with frequent new connections. The firewall only tracked transport layer state so the bad guy was able to hijack an existing session by sneaking in a correctly-numbered TCP segment inside an IP packet with his own IP address as the source.

[bobl]

Regardless if it is true, I unfortunately think Computer Sweden have been a bit naive here. They shouldn't be publish this specific information ~3 hours after the server was "locked down" (as they state in the article). This isn't a company like e.g. Google were correcting a mistake leaves them at "good security".