How hackers target your Active Directory with breached VPN passwords

As the gateways to corporate networks, VPNs are an attractive target for attackers seeking access to Active Directory environments. And when VPN credentials become compromised — through something as seemingly innocuous as an employee reusing a password — your entire network's security could be at risk.

Here’s what you need to know about how hackers use breached VPN passwords and how you can protect your organization.

The role of VPNs in network security

A Virtual Private Network (VPN) creates an encrypted tunnel between a user's device and your corporate network, facilitating secure remote access to internal resources. Through encrypted connections, VPNs safeguard data transmission across any network, ensuring secure communication even over unsecured public internet access points.

Organizations rely on VPNs for two primary use cases: supporting remote work and providing secure access to internal resources from external locations. But the expanded use of VPNs creates new security challenges when credentials become compromised.

How breached VPN passwords lead to Active Directory compromise

Specops’ recent research reveals that over 2.1 million VPN passwords have been stolen in the past year. Attackers employ multiple techniques to harvest VPN credentials, from deploying sophisticated malware and crafting convincing phishing campaigns to installing keyloggers and creating deceptive VPN login portals.

These stolen credentials are then collected into massive password databases and traded on dark web marketplaces, allowing attackers to easily purchase access to corporate networks. But the most significant risk isn't just the initial theft — it's password reuse.

Many employees use their Active Directory credentials to access corporate VPNs, a common and often intentional configuration. And some employees reuse these same passwords for personal VPN services.

Studies show that 52% of adults reuse passwords across multiple accounts, with one in eight using the same password for all their online services.

Password reuse creates a dangerous scenario: when attackers breach a personal VPN service, they potentially gain access to corporate Active Directory credentials. Even major VPN providers remain vulnerable. ProtonVPN users had over 1.3 million credentials stolen, while ExpressVPN and NordVPN each lost nearly 100,000 passwords to malware.

How hackers use breached passwords

After obtaining valid VPN credentials, attackers gain initial network access by impersonating legitimate users. Once inside, they employ various techniques for lateral movement, including pass-the-hash and pass-the-ticket attacks, which use compromised authentication tokens to access additional systems without needing the original passwords.

Attackers then focus on escalating their privileges, exploiting vulnerabilities or using social engineering to gain administrative access.

Compromised admin VPN credentials are the equivalent of hitting the jackpot, allowing hackers to immediately tamper with domain controllers and security settings. But even standard user accounts are valuable, as they let attackers gradually work toward domain admin access through privilege escalation attacks.

Defending against breached VPN passwords

Aiming to protect your Active Directory against compromised VPN credentials? Your approach must go beyond enforcing basic password requirements. The following security measures can help defend your organization against unauthorized access. 

Strengthening password policies

Traditional password complexity requirements aren’t enough to provide adequate protection. To bolster your security, your organization’s password policies should prevent employees from using known compromised passwords, regardless of complexity. Additionally, require regular password changes and enforce password history rules to help mitigate the impact of any breach. 

Multi-factor authentication (MFA)

One of the best ways to provide additional security is to implement MFA for VPN access — requiring a second authentication factor keeps attackers with valid credentials from accessing your systems. Your organization should deploy MFA using authenticator apps or hardware tokens and require it for all VPN connections.

Monitoring and auditing

Intrusion detection systems (IDS) and security information and event management (SIEM) tools let you monitor VPN login attempts and user activity. Your security teams should look for unusual patterns, such as off-hours access, multiple failed login attempts, or connections from unexpected locations. And remember to perform security audits regularly, as these can identify potential vulnerabilities before attackers can exploit them.

Employee training and awareness

Offer regular security awareness training that focuses on helping users identify phishing attempts and understand the risks of password reuse. Additionally, help employees recognize legitimate VPN login pages and learn safe password practices, such as using password managers to generate and store unique credentials.

Scanning Active Directory for breached passwords

To prevent security gaps and catch potential vulnerabilities before hackers can exploit them, regularly scan your Active Directory passwords against databases of known compromised credentials.

Tools like Specops Password Policy let you continuously monitor your Active Directory passwords against an extensive database of compromised credentials, preventing the use of stolen passwords before they lead to a breach.

Take action against compromised credentials

Remote work and cloud services are here to stay, making VPN security more important than ever. And when attackers breach VPN credentials, they can take control of your entire Active Directory environment. 

By implementing strong password policies, deploying MFA, maintaining vigilant monitoring, and regularly scanning for compromised credentials, you can reduce your exposure to VPN-based attacks.

With the proper security controls and tools, like Specops Password Policy, you can prevent attackers from using stolen VPN passwords to breach your Active Directory.

Get in touch for a free trial.

Sponsored and written by Specops Software.