CISA warns administrators against cybercriminals who exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials. CISA also released a tool that helps network administrators search for indicators of compromise associated with the exploitation.
CISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining Initial Access to a victim organization’s network via VPN appliances. Cyber threat actors used these Valid Accounts in conjunction with:
- External Remote Services for access,
- Remote Services for Lateral Movement to move quickly throughout victim network environments, and
- Data Encrypted for Impact for impact, as well as
- Exfiltration and sale of the data.
CISA used a test environment to send crafted requests to confirm the open-source reporting and validate what the cyber threat actors had access to. CISA’s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.
CISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510:
- Local Pulse Secure Admin account
- Username: admin; Password: pulse-local-password
- Domain Administrator Account
- Username: Administrator; Password: domain-admin-password1
- CISA-test-user Account
- Username: cisa-test-user; Password: Use_s3cure_passwords