Published on April 18th, 2020 📆 | 2395 Views ⚑0
Hacker used stolen AD credentials to ransom hospitals
Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using Active Directory credentials stolen months after exploiting a known pre-auth remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.
Even though the vulnerability tracked as CVE-2019-11510 was patched by Pulse Secure one year ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned organizations in January 2020 to patch their Pulse Secure VPN servers against ongoing attacks, after another alert issued in October 2019.
The FBI also said in a flash security alert from January that state-sponsored actors have breached the networks of a U.S. municipal government and a U.S. financial entity after exploiting vulnerable Pulse Secure VPN appliances.
Despite all these warnings, CISA had to issue one more alert this week urging organizations to immediately patch CVE-2019-11510 to block attackers from gaining access to their networks and steal domain administrator credentials.
Ransoms, hospitals, and govt entities
“CISA observed—once credentials were compromised—cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances,” the alert explains.
“Cyber threat actors used Connection Proxies —such as Tor infrastructure and virtual private servers (VPSs)—to minimize the chance of detection when they connected to victim VPN appliances.”
One of the threat actors CISA observed using stolen credentials after exploiting Pulse Secure VPN appliances was able to infect and encrypt the systems of several hospitals and U.S. government entities using ransomware payloads.
The same actor was also spotted by the cybersecurity agency while “attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. “
Threat actors were also observed while using remote administration tools like TeamViewer and LogMeIn as improvised backdoors designed to help gain persistence on their victims’ networks even after they got kicked out.
Patching is just the first mitigation step
If left unpatched, CVE-2019-11510 could allow remote unauthenticated attackers to compromise vulnerable VPN servers and “gain access to all active users and their plain-text credentials” and execute arbitrary commands if they didn’t also change passwords.
However, even after patching the vulnerable Pulse Secure VPN servers, “CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.”
“The attacks leveraging the vulnerabilities in Pulse Connect Secure are still ongoing and even combined with ransomware, which may impact the business continuity of organizations,” JPCERT confirmed earlier this month.
CISA released an open-source utility dubbed check-your-pulse and designed to help companies analyze their Pulse Secure VPN appliance logs to find indicators of compromise and decide if a full Active Directory account password reset is needed.
Already patched Pulse Secure CVE-2019-11510? You may have been compromised before patching. If so, you’re still vulnerable to attack. See our Alert https://t.co/eTa5rrbR6O for new detection methods and #IOC search tool https://t.co/0waOsgzFEg. #Cybersec…
— US-CERT (@USCERT_gov) April 16, 2020
While on August 25, 2019, cyber threat intelligence firm Bad Packets discovered 14,528 unpatched Pulse Secure servers, last month it found 2,099 vulnerable Pulse Secure VPN servers accessible over the Internet after conducting the 25th round of vulnerability scans.
“CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,” the agency concludes.
“If—after applying the detection measures in this alert—organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.”