In most cases, hackers took control of the VPN servers and then pivoted to workstations on the company's internal network, where they either stole intellectual property, planted malware, or installed ransomware.
A new kink in Pulse Secure VPN attacks
However, in two security alerts published this month by Japan's Computer Emergency Response Team (JPCERT) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the two agencies say they detected a new kink in attacks.
According to the two, hackers have also been using access to the Pulse Secure VPN server to extract plaintext Active Directory (AD) credentials.
Now, JPCERT and CISA say they're seeing attacks where hackers are leveraging these stolen credentials to access internal networks even after companies patched Pulse Secure VPN gateways.
In an alert published yesterday, CISA said it was aware of "incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance."
"In one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware," CISA said.
The US agency has released a tool on GitHub for companies that run Pulse Secure VPNs. The tool can be used to sift through their Pulse Secure logs and spot signs of a potential compromise. The tool scans for IP addresses and user-agents known to be associated with groups that have exploited Pulse Secure VPN servers.
CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If-after applying the detection measures in this alert-organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.