A compromised VPN account nearly gave a threat actor free reign inside a corporate network – but Solis MDR stopped them in their tracks
Intercepting a live network compromise
The Solis MDR team recently thwarted a threat actor who infiltrated a customer’s network via a compromised virtual private network (VPN) account, detecting and containing the incident as they attempted to perform reconnaissance within the environment.
Our endpoint detection and response (EDR) tooling, SentinelOne, alerted us to a series of suspicious commands originating from an unmanaged endpoint. The user of the unknown device was trying to detect the presence of the EDR agent on a number of remote hosts and establish persistence by creating malicious services and scheduled tasks.
> cmd.exe /Q /c tasklist|findstr /i *sentin* 1> \Windows\Temp\BbefWk 2>&1
As this was indicative of hands-on-keyboard threat actor activity, this immediately triggered our critical incident process. We gathered the available information and sent an initial escalation to the customer, following up with a phone call to ensure they were aware of the ongoing incident.
This is usually the stage at which we would isolate any affected endpoints from the network to prevent lateral movement, but as the source device was unmanaged and the commands were blocked, there was no need to network contain any devices in this instance.
Solis MDR quickly identified suspicious activity under an additional account. We advised the customer to disable the affected accounts to contain the activity while we conducted a full investigation and validated that there were no malicious artefacts on the target hosts.
Together with the customer, we identified that the source endpoint was connected via the corporate VPN. The customer confirmed that VPN accounts did not require multi-factor authentication (MFA) to log in, rendering them vulnerable to brute force attacks.
On reviewing logs from the VPN, Solis MDR confirmed this to be the likely root cause. Our analysts observed a large number of failed logins against one of the identified accounts, followed by a success when the threat actor guessed the correct password.
With no MFA, they faced no further challenge to gain access to the network. Luckily, Solis MDR blocked their initial activities and our team was able to contain and investigate the incident before they could do anything more damaging – like stealing data or deploying ransomware.
With the incident successfully contained and the root cause identified, Solis MDR advised the customer to rotate the affected accounts’ credentials and enable MFA on their VPN.
As well as highlighting the importance of MFA, the incident demonstrated that it is critical to put in place the people, processes, and technology to effectively detect and respond to cyber security incidents, ensuring a swift response to minimise the impact to your business.
Solis MDR for Endpoint provides 24/7 monitoring, investigation, and remediation of cyber security threats to your organisation’s workstations, laptops, and servers. Contact our team today at enquiries.uk@solissecurity.com to discuss how we can protect your business.
