Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday April 23 2020, @01:49AM   Printer-friendly
from the patience-is-a-virtue dept.

US govt: Hacker used stolen AD credentials to ransom hospitals:

Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using stolen Active Directory credentials months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.

[...] "CISA observed—once credentials were compromised—cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances," the alert explains.

"Cyber threat actors used Connection Proxies —such as Tor infrastructure and virtual private servers (VPSs)—to minimize the chance of detection when they connected to victim VPN appliances."

One of the threat actors CISA observed using stolen credentials after exploiting Pulse Secure VPN appliances was able to infect and encrypt the systems of several hospitals and U.S. government entities using ransomware payloads.

The same actor was also spotted by the cybersecurity agency while "attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. "

Threat actors were also observed while using remote administration tools like TeamViewer and LogMeIn as improvised backdoors designed to help gain persistence on their victims' networks even after they got kicked out.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.