![]() ![]() Pulse Secure VPNĬISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack. The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.įrom there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed. Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |