Companies that manage Pulse Secure VPN servers are still threatened by cyber security agencies in the United States and Japan this month, despite vulnerabilities in the system.

Pulse Secure Pulse Secure VPN servers are enterprise-grade VPN gateways that companies use to allow employees to connect to internal business networks from the internet.

A significant vulnerability in these products was revealed last year. The vulnerability, traced as CVE-2019-11510, allowed hackers to execute malicious code on vulnerable servers.

The vulnerability was widely exploited by all types of hacker groups, from nation-state entities to ransomware bands.

In most cases, the hackers took control of the VPN servers and then focused on workstations in the company’s internal network, where they stole intellectual property, planted malicious software or installed them. lar ransomware.

A new linking of Powder Secure VPN attacks

However, in two security alerts issued this month by the Japan Computer Emergency Response Team (JPCERT) and the Department of Homeland Security (DHS CISA) ‘s Cybersecurity and Infrastructure Security Agency, the two agencies say they detected a new body in attacks.

According to the two, hackers have also been using Pulse Secure VPN server access to extract Active Directory (AD) credentials.

Now, JPCERT and CISA say they are seeing attacks in which hackers are leveraging these stolen credentials to gain access to internal networks, even after companies suffer from Pulse Secure VPN gateways.

In an alert issued yesterday, CISA said it was aware of “incidents involving Active Directory credentials being compromised when months after the victim organization patched its VPN device.”

“In one case, CISA saw a cyber-threat actor attempting to sell stolen credentials after 30 unsuccessful attempts to connect to the client environment to escalate privileges and drop ransomware,” CISA said.

The US agency has launched a tool on GitHub for companies that manage Pulse Secure VPNs. The tool can be used to select Pulse Secure logs and to indicate possible compromises. The tool looks for IPs and user agents known to be associated with groups that have exploited Pulse Secure VPN servers.

CISA strongly urges organizations that have not done so to upgrade their Pulse Secure VPN to patches corresponding to CVE-2019-11510. If after applying the detection measures to this alert organization detect CVE-2019-11510 exploit tests, CISA recommends that you change passwords for all Active Directory accounts, including administrator and service accounts.