DHS CISA: Companies Are Getting Hacked Even After Patching Pulse Secure VPNs (zdnet.com) 9
According to the DHS's Cybersecurity and Infrastructure Security Agency (CISA), companies that run Pulse Secure VPN servers are still at risk of getting hacked, despite patching vulnerable systems. ZDNet reports: Pulse Secure VPN servers are enterprise-grade VPN gateways that companies use to let workers connect to internal company networks from across the internet. Last year, a major vulnerability was disclosed in these products. The vulnerability, tracked as CVE-2019-11510, allowed hackers to run malicious code on vulnerable servers. [...] According to the [DHS CISA and Japan's Computer Emergency Response Team (JPCERT)], hackers have also been using access to the Pulse Secure VPN server to extract plaintext Active Directory (AD) credentials.
Now, JPCERT and CISA say they're seeing attacks where hackers are leveraging these stolen credentials to access internal networks even after companies patched Pulse Secure VPN gateways. In an alert published yesterday, CISA said it was aware of "incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance." The U.S. agency has released a tool on GitHub for companies that run Pulse Secure VPNs. The tool can be used to sift through their Pulse Secure logs and spot signs of a potential compromise. The tool scans for IP addresses and user-agents known to be associated with groups that have exploited Pulse Secure VPN servers.
Now, JPCERT and CISA say they're seeing attacks where hackers are leveraging these stolen credentials to access internal networks even after companies patched Pulse Secure VPN gateways. In an alert published yesterday, CISA said it was aware of "incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance." The U.S. agency has released a tool on GitHub for companies that run Pulse Secure VPNs. The tool can be used to sift through their Pulse Secure logs and spot signs of a potential compromise. The tool scans for IP addresses and user-agents known to be associated with groups that have exploited Pulse Secure VPN servers.
"Enterprise grade" (Score:4, Interesting)
"Enterprise grade" - invariably far more broken than just about any other "grade".
Re: (Score:2)
I'm sure you're right, but I'll be forced to point out that Builder's Grade has become synonymous with "the cheapest possible option.
Re: (Score:3)
"Enterprise grade" - invariably far more broken than just about any other "grade".
I'm sure you're right, but I'll be forced to point out that Builder's Grade has become synonymous with "the cheapest possible option.
And probably both for the same reason.
Re: (Score:2)
Enterprise grade = Most broken for the highest possible price + you get support!! As far as I can tell that means you call them, tell them there's a bug, they sound really really sorry and feel your pain and then tell you the fix will be in the next version which is out in 3 months.... make sure you keep paying your support fees ....
Re: (Score:2)
"Enterprise grade" - invariably far more broken than just about any other "grade".
But on the plus-side (for the vendor), a lot more expensive!
Reminds me that the only HDD that I ever got DoA (with visibly destroyed components and the sealed ESD bag completely pristine) was a Seagate "Enterprise" drive.
Just As Concerning (Score:2)
Re: (Score:2)
Of course the Pulse VPN vulnerabilities are extremely concerning given their high severity and large number of related vulnerabilities and the fact that the issues are still not fixed is shameful. However, why are Active Directory credentials being sent in plain text? I mean, what year is this? And why does Microsoft even allow such a configuration to exist at this point?
Once you hack the VPN endpoint, you effectively have the keys to the back end auth server so encryption is moot. From there you can snarf up the whole LDAP database. And then you can use those credentials to attack any other public facing portals the organization has that use the same authentication database.
This is why enterprises should always use 2FA.
Not surprising at all (Score:2)
most of them are same (Score:1)