Hacker Used Stolen Active Directory Credentials to Ransom Hospitals
upstart writes in with an IRC submission for AnonymousCoward:
US govt: Hacker used stolen AD credentials to ransom hospitals:
Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using stolen Active Directory credentials months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.
[...] "CISA observed-once credentials were compromised-cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances," the alert explains.
"Cyber threat actors used Connection Proxies -such as Tor infrastructure and virtual private servers (VPSs)-to minimize the chance of detection when they connected to victim VPN appliances."
One of the threat actors CISA observed using stolen credentials after exploiting Pulse Secure VPN appliances was able to infect and encrypt the systems of several hospitals and U.S. government entities using ransomware payloads.
The same actor was also spotted by the cybersecurity agency while "attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. "
Threat actors were also observed while using remote administration tools like TeamViewer and LogMeIn as improvised backdoors designed to help gain persistence on their victims' networks even after they got kicked out.
Read more of this story at SoylentNews.