Hackers Using Stolen Active Directory Credentials to Access Networks
The U.S. Cybersecurity and Infrastructure Security Agency issued a new warning this week that cautions organizations using Pulse Secure VPN servers that their networks may still be vulnerable to hacking even if they applied patches for a previous flaw.
See Also: Role of Deception in the ‘New Normal’
Although Pulse Secure released patches for the vulnerability in its VPN gateway servers in April 2019, CISA has recently found that attackers are using compromised Active Directory credentials to gain network access months after targeted organizations patched their software, according to the alert.
In one case, CISA found a threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to a targeted organization’s network. The hackers were attempting to escalate privileges within the networks and then install ransomware, according to the alert.
The agency also found that some attackers were using administrative tools such as LogMeIn and TeamViewer to gain persistence within networks. These tools would allow hackers to maintain their presence even if they lost their primary connection to the infected network, according to the alert.
CISA notes that attackers have targeted government agencies as well as private companies. Japan’s Computer Emergency Response Team Coordination Center issued its own warning after witnessing similar incidents.
In response to these attacks, CISA released its own tool on GitHub that can help organizations scan the log files of their Pulse Secure VPN servers and determine if the gateways had been compromised. The agency is also encouraging organizations to update and change their Active Directory passwords, according to the alert.
Vulnerable VPN Servers
These new alerts stem from a vulnerability in Pulse Secure VPN SSL servers that is currently tracked as CVE-2019-11510. If exploited, attackers could use the flaw to infect vulnerable VPN servers, which would then allow them to gain access to other parts of a targeted network, steal credentials, plant malware and execute arbitrary commands.
The CISA investigation also revealed that attackers could exploit the CVE-2019-11510 vulnerability in order to steal plain text Active Directory credentials. If an organization that was targeted did not reset all its passwords, the attackers could use those credentials to regain network access even if the Pulse Secure VPN servers were patched, according to the alert.
“Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access – and move laterally through – that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials,” according to the CISA alert.
While Pulse Secure released a patch for the vulnerability in April 2019, many organizations did not apply the fix. By August 2019, security researchers began to warn that attackers were scanning for open ports and looking for unpatched VPN servers (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).
In many cases, attackers were using these vulnerabilities to plant malware in networks, including ransomware, according to security experts.
At around the same time, Troy Mursch of Chicago-based threat intelligence firm Bad Packets warned that his firm’s honeypots had detected opportunistic, large-scale mass scanning activity by hackers looking for Pulse Secure VPN SSL servers. Mursch also warned there were possibly 15,000 unpatched Pulse VPN servers vulnerable to CVE-2019-11510.
In March, Bad Packets released another report that showed the number of vulnerable Pulse Secure VPN servers had dropped to about 2,100, but that still meant many organizations were still exposed.
Round 25 – CVE-2019-11510 Scan Results
Vulnerable Pulse Secure VPN servers detected: 2,099
Our latest vulnerability scan results are freely available for authorized government CERT, ISAC, and law enforcement teams.
— Bad Packets Report (@bad_packets) March 24, 2020
One issue is that many organizations still run their VPN servers with only single-factor authentication. Even if patches are in place, attackers can still access networks using stolen, but valid credentials, says Tim Wade, technical director of the CTO team at security firm Vectra.
“All too often, organizations are still running VPN access through a single factor of authentication, allowing stolen credentials to continue to provide valid, but unauthorized access irrespective of how vulnerable their VPN gateways are to direct exploitation,” Wade tells Information Security Media Group. “The ability to both increase authentication requirements beyond a single factor and perform continuous identity based monitoring around the misuse of credentials is an essential part of modern enterprise security architecture.”
Organizations that left their Pulse Secure VPN unpatched have faced consequences.
In February, for example, security firm ClearSky reported that at least three advanced persistent threat groups, all with apparent ties to the Iranian government, have been taking advantage of unpatched Pulse Secure VPN to gain network access (see: Unpatched VPN Servers Hit by Apparent Iranian APT Groups).
In addition, the Wall Street Journal reported earlier this month that Travelex, a London-based foreign currency exchange, paid a ransomware gang $2.3 million to recover company data that had been encrypted. It was also reported earlier that the company was using unpatched Pulse Secure VPN servers (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
Managing Editor Scott Ferguson contributed to this report.