Credential Harvesting for Fun & Profit

A recent FireEye report details a suspected APT Authentication Bypass Zero-Day Attack.

The attack is massive in scope. Multiple intrusions were observed at defense, government and financial institutions worldwide.

The attack’s origin appears to be from Pulse Secure VPN login flows. Malicious actors granted themselves administrator-level privileges and then moved laterally within networks.

This attack highlights two major areas of concern:

  1. Weakness in certain virtual private network (VPN) configurations leading to credential harvesting, and
  2. The overall vulnerability with static credentials to authenticate network users.

In the current environment where a dispersed workforce is the norm, VPN’s can be an effective way for organizations to establish secure connections between corporate resources and remote workers. However, when a supposedly “trusted” connection is compromised, users wrongly believe that they are operating within a protected environment — creating a false sense of security.

Moreover, this attack highlights the importance of protecting system credentials. This is the broader issue. Once a bad actor obtains a trusted credential, the system accepts the malefactor as trusted user.

At QWERX, we are hard at work in developing a system based on ephemeral credentials—not stored anywhere, never exchanged and never reused.

In this way, we eliminate a broad attack vector for bad guys of all stripes. No credential to steal, no malicious system access with a stolen credential!

Leave a Comment