Getty Images/iStockphoto
DHS Warns Hackers Compromising Patched VPNs with Stolen Credentials
Organizations that have patched vulnerable Pulse Secure VPNs are still being compromised, due to hackers leveraging stolen credentials to access internal networks, DHS CISA warns.
Hackers are leveraging stolen credentials to gain access to internal networks through Pulse Secure Virtual Private Networks, even if the victim organization patched a well-known vulnerability, according to an alert from the Department of Homeland Security Cybersecurity and Infrastructure Agency alert.
In light the spike in telework, telehealth, and other remote care during the COVID-19 pandemic, it’s imperative healthcare organizations review their VPN security and the CISA alert to ensure the security of their remote platforms as hackers have continued to target the sector during the crisis.
One year ago, DHS CISA alerted organizations to the CVE-2019-11510 vulnerability found in a host of popular VPNs that could allow an attacker to gain access to a system, if exploited. The vendors released patches throughout the year, while researchers and CISA alike continued to urge organizations to apply the update to avoid compromise.
By January, thousands of VPNs remained unpatched and vulnerable. The FBI has recently sent multiple alerts regarding the flaw in recent months, as hackers continue to target the endpoints.
But the latest CISA alert highlights a greater issue: organizations and users continuing to reuse passwords and failing to update credentials. Japan’s Computer Emergency Response team (JCERT), along with CISA, have noted hackers are gaining access to the Pulse Secure VPN servers to exfiltrate credentials from the Active Directory in plaintext.
As a result, companies that failed to update their passwords are seeing hackers gain access to their networks through the VPN, even if they’ve applied the software update.
“Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access—and move laterally through—that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials,” the alert reads.
“CISA has conducted multiple incident response engagements at US government and commercial entities where malicious cyber threat actors have exploited [the flaw]… affecting Pulse Secure VPN appliances to gain access to victim networks,” it continues.
In fact, hackers have leveraged the stolen credentials up to a month after the victim applied the VPN patch. CISA explained the threat actors are using valid accounts tied to external remote services for access, remote services for lateral movement, data encryption for impact, and exfiltration of data for sale on the dark web.
As noted in the previous alerts, hackers gain the initial access through the vulnerability found in the pre-authentication arbitrary read file on Pulse Secure VPN appliances. The remote attacker can exploit the flaw to request arbitrary files from the server. The vulnerability stems from the directory traversal that is hard-coded to be allowed when the path contains dana/html5/acc.
When exploited, the hacker can obtain the contents of /etc/passwd, which includes basic information about local system accounts. A successful exploit also provides the hacker with other files that would be useful for remote exploitation.
“By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users,” CISA wrote. “Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords.”
“However, CISA has not observed this behavior,” they added. “By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for credential dumping plaintext passwords from the VPN appliance…. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials.”
Despite hackers using the Tor infrastructure and virtual private servers to reduce the possibility of detection, CISA has observed the threat actors creating scheduled tasks and remote access trojans to establish persistence, amassing files for exfiltration, and executing ransomware on the victim’s network environment. The threat has even been observed successfully installing ransomware at hospitals.
As the threat actors leverage legitimate credentials and remote activity, conventional antivirus and endpoint detection and response tools do not detect this type of activity. If a sensor has visibility into the external interface of the VPN and appropriate rules are established, an intrusion detection system may notice an exploit of the flaw.
To improve the probability of detecting an exploit, organizations should turn on authenticated log requests and check logs for exploit attempts. System administrators should review logs to detect lateral movement. Administrators should manually review logs for unauthorized sessions and attempted exploits, “especially sessions from unexpected geo-locations.”
Lastly, CISA developed an indicators of compromise (IOC) detection tool that allows system administrators to triage logs if authenticated request logging is turned on, as well as automatically searching for IOCs associated with the known vulnerability. The tool is not exhaustive, but can find evidence of attempted compromise.
CISA recommended organizations apply the updates to their VPN and change the passwords to all Active Directory accounts, including administrators and service accounts. Administrators should also look for unauthorized applications and scheduled tasks in their environment and remove any remote access programs not approved by the enterprise.
Further, all remote access trojans must be removed, while administrators should carefully inspect scheduled tasks for scripts of executables that could enable a hacker to connect to its environment.
“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment,” according to the alert. “CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.”