How hackers target your Active Directory with breached VPN passwords - Related to your, target, active, directory, outlook

How hackers target your Active Directory with breached VPN passwords

As the gateways to corporate networks, VPNs are an attractive target for attackers seeking access to Active Directory environments. And when VPN credentials become compromised — through something as seemingly innocuous as an employee reusing a password — your entire network's security could be at risk.

Here’s what you need to know about how hackers use breached VPN passwords and how you can protect your organization.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user's device and your corporate network, facilitating secure remote access to internal resources. Through encrypted connections, VPNs safeguard data transmission across any network, ensuring secure communication even over unsecured public internet access points.

Organizations rely on VPNs for two primary use cases: supporting remote work and providing secure access to internal resources from external locations. But the expanded use of VPNs creates new security challenges when credentials become compromised.

How breached VPN passwords lead to Active Directory compromise.

Specops’ recent research reveals that over [website] million VPN passwords have been stolen in the past year. Attackers employ multiple techniques to harvest VPN credentials, from deploying sophisticated malware and crafting convincing phishing campaigns to installing keyloggers and creating deceptive VPN login portals.

These stolen credentials are then collected into massive password databases and traded on dark web marketplaces, allowing attackers to easily purchase access to corporate networks. But the most significant risk isn't just the initial theft — it's password reuse.

Many employees use their Active Directory credentials to access corporate VPNs, a common and often intentional configuration. And some employees reuse these same passwords for personal VPN services.

Studies show that 52% of adults reuse passwords across multiple accounts, with one in eight using the same password for all their online services.

Password reuse creates a dangerous scenario: when attackers breach a personal VPN service, they potentially gain access to corporate Active Directory credentials. Even major VPN providers remain vulnerable. ProtonVPN clients had over [website] million credentials stolen, while ExpressVPN and NordVPN each lost nearly 100,000 passwords to malware.

After obtaining valid VPN credentials, attackers gain initial network access by impersonating legitimate clients. Once inside, they employ various techniques for lateral movement, including pass-the-hash and pass-the-ticket attacks, which use compromised authentication tokens to access additional systems without needing the original passwords.

Attackers then focus on escalating their privileges, exploiting vulnerabilities or using social engineering to gain administrative access.

Compromised admin VPN credentials are the equivalent of hitting the jackpot, allowing hackers to immediately tamper with domain controllers and security settings. But even standard user accounts are valuable, as they let attackers gradually work toward domain admin access through privilege escalation attacks.

Defending against breached VPN passwords.

Aiming to protect your Active Directory against compromised VPN credentials? Your approach must go beyond enforcing basic password requirements. The following security measures can help defend your organization against unauthorized access.

Traditional password complexity requirements aren’t enough to provide adequate protection. To bolster your security, your organization’s password policies should prevent employees from using known compromised passwords, regardless of complexity. Additionally, require regular password changes and enforce password history rules to help mitigate the impact of any breach.

One of the best ways to provide additional security is to implement MFA for VPN access — requiring a second authentication factor keeps attackers with valid credentials from accessing your systems. Your organization should deploy MFA using authenticator apps or hardware tokens and require it for all VPN connections.

Intrusion detection systems (IDS) and security information and event management (SIEM) tools let you monitor VPN login attempts and user activity. Your security teams should look for unusual patterns, such as off-hours access, multiple failed login attempts, or connections from unexpected locations. And remember to perform security audits regularly, as these can identify potential vulnerabilities before attackers can exploit them.

Offer regular security awareness training that focuses on helping clients identify phishing attempts and understand the risks of password reuse. Additionally, help employees recognize legitimate VPN login pages and learn safe password practices, such as using password managers to generate and store unique credentials.

Scanning Active Directory for breached passwords.

To prevent security gaps and catch potential vulnerabilities before hackers can exploit them, regularly scan your Active Directory passwords against databases of known compromised credentials.

Tools like Specops Password Policy let you continuously monitor your Active Directory passwords against an extensive database of compromised credentials, preventing the use of stolen passwords before they lead to a breach.

Take action against compromised credentials.

Remote work and cloud services are here to stay, making VPN security more crucial than ever. And when attackers breach VPN credentials, they can take control of your entire Active Directory environment.

By implementing strong password policies, deploying MFA, maintaining vigilant monitoring, and regularly scanning for compromised credentials, you can reduce your exposure to VPN-based attacks.

With the proper security controls and tools, like Specops Password Policy, you can prevent attackers from using stolen VPN passwords to breach your Active Directory.

Sponsored and written by Specops Software.

Residents across the United States are being inundated with text messages purporting to come from to...

An insufficient validation input flaw, one of 11 patched in an improvement this week, could allow for arb...

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP....

How to Steer AI Adoption: A CISO Guide

CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren't many resources to guide them on what their role should look like or what they should bring to these meetings.

We've pulled together a framework for security leaders to help push AI teams and committees further in their AI adoption—providing them with the necessary visibility and guardrails to succeed. Meet the CLEAR framework.

If security teams want to play a pivotal role in their organization's AI journey, they should adopt the five steps of CLEAR to show immediate value to AI committees and leadership:

– an AI asset inventory L – Learn what customers are doing.

– what consumers are doing E – Enforce your AI policy.

– AI use cases R – Reuse existing frameworks.

If you're looking for a solution to help take advantage of GenAI securely, check out Harmonic Security.

Alright, let's break down the CLEAR framework.

A foundational requirement across regulatory and best-practice frameworks—including the EU AI Act, ISO 42001, and NIST AI RMF—is maintaining an AI asset inventory.

Despite its importance, organizations struggle with manual, unsustainable methods of tracking AI tools.

Security teams can take six key approaches to improve AI asset visibility:

Procurement-Based Tracking – Effective for monitoring new AI acquisitions but fails to detect AI elements added to existing tools. Manual Log Gathering – Analyzing network traffic and logs can help identify AI-related activity, though it falls short for SaaS-based AI. Cloud Security and DLP – Solutions like CASB and Netskope offer some visibility, but enforcing policies remains a challenge. Identity and OAuth – Reviewing access logs from providers like Okta or Entra can help track AI application usage. Extending Existing Inventories – Classifying AI tools based on risk ensures alignment with enterprise governance, but adoption moves quickly. Specialized Tooling – Continuous monitoring tools detect AI usage, including personal and free accounts, ensuring comprehensive oversight. Includes the likes of Harmonic Security.

Learn: Shift to Proactive Identification of AI Use Cases.

Security teams should proactively identify AI applications that employees are using instead of blocking them outright—consumers will find workarounds otherwise.

By tracking why employees turn to AI tools, security leaders can recommend safer, compliant alternatives that align with organizational policies. This insight is invaluable in AI team discussions.

Second, once you know how employees are using AI, you can give more effective training. These training programs are going to become increasingly critical amid the rollout of the EU AI Act, which mandates that organizations provide AI literacy programs:

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems…"

Most organizations have implemented AI policies, yet enforcement remains a challenge. Many organizations opt to simply issue AI policies and hope employees follow the guidance. While this approach avoids friction, it provides little enforcement or visibility, leaving organizations exposed to potential security and compliance risks.

Typically, security teams take one of two approaches:

Secure Browser Controls – Some organizations route AI traffic through a secure browser to monitor and manage usage. This approach covers most generative AI traffic but has drawbacks—it often restricts copy-paste functionality, driving customers to alternative devices or browsers to bypass controls. DLP or CASB Solutions – Others leverage existing Data Loss Prevention (DLP) or Cloud Access Security Broker (CASB) investments to enforce AI policies. These solutions can help track and regulate AI tool usage, but traditional regex-based methods often generate excessive noise. Additionally, site categorization databases used for blocking are frequently outdated, leading to inconsistent enforcement.

Striking the right balance between control and usability is key to successful AI policy enforcement.

And if you need help building a GenAI policy, check out our free generator: GenAI Usage Policy Generator.

Most of this discussion is about securing AI, but let's not forget that the AI team also wants to hear about cool, impactful AI use cases across the business. What advanced way to show you care about the AI journey than to actually implement them yourself?

AI use cases for security are still in their infancy, but security teams are already seeing some benefits for detection and response, DLP, and email security. Documenting these and bringing these use cases to AI team meetings can be powerful – especially referencing KPIs for productivity and efficiency gains.

Instead of reinventing governance structures, security teams can integrate AI oversight into existing frameworks like NIST AI RMF and ISO 42001.

A practical example is NIST CSF [website], which now includes the "Govern" function, covering: Organizational AI risk management strategies Cybersecurity supply chain considerations AI-related roles, responsibilities, and policies Given this expanded scope, NIST CSF [website] offers a robust foundation for AI security governance.

Take a Leading Role in AI Governance for Your business.

Security teams have a unique opportunity to take a leading role in AI governance by remembering CLEAR:

reating AI asset inventories L earning user behaviors.

earning user behaviors E nforcing policies through training.

nforcing policies through training A pplying AI use cases for security.

pplying AI use cases for security Reusing existing frameworks.

By following these steps, CISOs can demonstrate value to AI teams and play a crucial role in their organization's AI strategy.

To learn more about overcoming GenAI adoption barriers, check out Harmonic Security.

Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it introduced has come under a......

Nicht nur Cyberkriminelle möchten mittels Schadsoftware auf Mobilgeräten herumschnüffeln und Daten abschnorcheln – auch Regierungen und Gehei......

Microsoft has released the KB5051974 cumulative enhancement for Windows 10 22H2 and Windows 10 21H2, which automatically installs the new Outlook for Windo......

Windows 10 KB5051974 update force installs new Microsoft Outlook app

Microsoft has released the KB5051974 cumulative modification for Windows 10 22H2 and Windows 10 21H2, which automatically installs the new Outlook for Windows app and fixes a memory leak bug.

The Windows 10 KB5051974 enhancement is mandatory as it contains Microsoft's January 2025 Patch Tuesday security updates.

However, as this improvement is mandatory, it will automatically start installing in Windows once you check for updates. To make this more manageable, you can schedule a time when your computer is restarted to finish the installation.

Windows 10 KB5051974 cumulative revision preview.

After installing this improvement, Windows 10 22H2 will be updated to build [website] and Windows 10 21H2 will be build [website].

Windows 10 consumers can also manually download and install the KB5051974 modification from the Microsoft modification Catalog.

The KB5051974 enhancement includes fixes for numerous bugs in Windows 10, including one that prevented Capture Service and Snipping Tool from responding and a memory leak bug.

This revision includes a total of eleven fixes or changes, with the highlighted ones listed below:

[Mail] New! You now have the new Outlook for Windows app. A new app icon appears in the Apps section on the Start menu, near classic Outlook. There are no changes to any settings or defaults. If you are an IT admin, learn how to manage this revision at Control the installation and use of new Outlook.

You now have the new Outlook for Windows app. A new app icon appears in the Apps section on the Start menu, near classic Outlook. There are no changes to any settings or defaults. If you are an IT admin, learn how to manage this enhancement at Control the installation and use of new Outlook. [Screen capture] Fixed: The Capture Service and Snipping Tool stop responding. This occurs when you press the Windows logo key+Shift+S several times while the Narrator is on.

Fixed: The Capture Service and Snipping Tool stop responding. This occurs when you press the Windows logo key+Shift+S several times while the Narrator is on. [Chinese Pinyin input method editor (IME)] Bing will stop giving automatic suggestions in the search box for search engine sites like Baidu. To get manual suggestions, use Ctrl+Tab or the chevron button (>).

Bing will stop giving automatic suggestions in the search box for search engine sites like Baidu. To get manual suggestions, use Ctrl+Tab or the chevron button (>). [Digital/Analog converter (DAC) (known issue)] Fixed: You might experience issues with USB audio devices. This is more likely when you use a DAC audio driver based on USB [website] USB audio devices might stop working, which stops playback.

Fixed: You might experience issues with USB audio devices. This is more likely when you use a DAC audio driver based on USB [website] USB audio devices might stop working, which stops playback. [USB audio device drivers] Fixed: The code 10 error message, "This device cannot start," appears. This occurs when you connect to certain external audio management devices.

Fixed: The code 10 error message, "This device cannot start," appears. This occurs when you connect to certain external audio management devices. [USB cameras] Fixed: Your device does not recognize the camera is on. This issue occurs after you install the January 2025 security upgrade.

Fixed: Your device does not recognize the camera is on. This issue occurs after you install the January 2025 security upgrade. [Virtual memory] Fixed: An issue depletes virtual memory, which might cause some apps to fail.

Microsoft says that there are three known issues, all of which were introduced in previous updates.

After installing the improvement, OpenSSH connections on Windows may no longer work as the SSHD service fails to start automatically. This can be fixed by manually starting the SSHD service.

"Following the installation of the October 2024 security improvement, some end-clients analysis that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the [website] process," explains Microsoft.

Microsoft also says that the January 2025 and later Windows updates may fail if Citrix Session Recording Agent (SRA) version 2411 is installed on the device.

"As a workaround, stop the Session Recording Monitoring service, install the Microsoft security upgrade, and enable the Session Recording Monitoring service," explains a Citrix support bulletin.

Devices with certain Citrix components installed might be unable to complete the January 2025 Windows security enhancement installation. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.

Finally, the Windows EventViewer may incorrectly display an Event 7023 error about [website], stating, "The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935."

Microsoft says that [website] currently serves no purpose and that this error does not impact any functionality on the device and will be fixed in future updates.

A complete list of fixes can be found in the KB5051974 support bulletin and last month's KB5050081 preview enhancement bulletin.

Nicht nur Cyberkriminelle möchten mittels Schadsoftware auf Mobilgeräten herumschnüffeln und Daten abschnorcheln – auch Regierungen und Gehei......

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as a......

While the first article outlined why VPNs are risky and cloud-based RDP is a superior alternative, this article will take a closer look at what makes ......