← Back to all briefings

Cybersecurity · Credibility 40/100 · · 5 min read

Cybersecurity Briefing — Pulse Secure credential heists persist even after CVE-2019-11510 patching

CISA’s AA20-107A update shows that organizations which patched Pulse Secure VPN appliances but never rotated stolen accounts are still being looted, prompting rapid credential resets, log review, and use of CISA’s detection script.

Executive briefing: AA20-107A warns that patching CVE-2019-11510 is not the finish line—Pulse Secure VPN appliances that were compromised before patching still leak cached credentials, letting ransomware crews and data thieves walk through remote access portals months later. CISA released a GitHub scanner and detailed the techniques used to steal data.mdb, plaintext admin passwords, and Active Directory credentials so response teams know exactly where to hunt.

Immediate detection and reset moves

  • Run CISA’s check-your-pulse tool. Point the script at every appliance to look for exploitation artifacts, HTML5 gateway abuse, and credential dumps noted in the alert.
  • Rotate every secret tied to the VPN. Reset appliance local admins, service accounts used to join domains, and any users that authenticated through Guacamole or HTML5 gateways so attackers cannot reuse tokens.
  • Hunt for lateral movement. Review RDP, SMB, and backup logs during the timeframe when the VPN was exposed—AA20-107A documents how adversaries chained Valid Accounts with RDP and file shares before encrypting systems.

Hardening and monitoring

  • Scrub appliance file systems. Follow CISA’s guidance to inspect /data/runtime/mtmp/lmdb/data.mdb and similar locations for stored secrets, and redeploy from clean images if tampering is suspected.
  • Instrument credential vaults. Require privileged account check-in and MFA for all VPN administrative actions so that stolen passwords alone can’t deliver persistence.
  • Stage network-wide password spraying detections. The alert highlights how attackers recycle credentials against other services—tie VPN telemetry to SIEM rules covering Exchange, Citrix, and identity providers.

Source excerpts

Primary — patching alone isn’t enough: “Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access…that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.”

CISA — AA20-107A

Primary — plaintext credentials exposed: “CISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining Initial Access to a victim organization’s network via VPN appliances.”

CISA — AA20-107A
  • AA20-107A
  • Pulse Secure
  • CVE-2019-11510
Back to curated briefings