Back to All Scenarios
PASSEDsecurity / client_vpn_credential_compromise
Client VPN Credential Compromise — Unauthorized Access
A client's VPN credentials are found on a dark web dump. Unauthorized connections are detected from foreign IPs through the client's site-to-site VPN tunnel. The attacker is pivoting through the VPN to access internal resources. Immediate tunnel teardown and credential rotation required.
Pattern
VPN_TUNNEL_DOWN
Severity
CRITICAL
Confidence
90%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | VPN_TUNNEL_DOWN | VPN_TUNNEL_DOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 42 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Site-to-site IPSec VPN to client office. Credentials compromised via phishing. 3 unauthorized IPs connecting through tunnel. Lateral movement detected. Client has 50 users. VPN uses pre-shared key (not certificates).
Injected Error Messages (3)
Unauthorized VPN connections detected — vpn tunnel from 3 unknown source IPs (185.x.x.x range) through client fw-client-01, vpn tunnel established using compromised pre-shared key, geographic anomaly: connections from Eastern Europe for US-based client
VPN tunnel anomaly — vpn tunnel carrying unusual traffic patterns, data exfiltration signature detected, 15GB transferred in 2 hours (normal: 500MB/day), vpn tunnel being used for lateral movement to internal subnets 10.20.0.0/24 and 10.20.1.0/24
Lateral movement through compromised VPN tunnel — IDS detecting port scanning from VPN subnet, attacker pivoting through vpn tunnel to reach file servers and domain controller, credential stuffing attempts against AD from VPN-connected IP
Neural Engine Root Cause Analysis
The VPN gateway fw-client-01 has been compromised through a leaked or stolen pre-shared key, allowing unauthorized connections from Eastern European IP addresses in the 185.x.x.x range. The gateway appears to have been taken down either as an automatic security response or manual intervention due to the security breach. The 16 correlated incidents suggest this compromise may have affected multiple services or clients, indicating a potentially widespread security incident.
Remediation Plan
1. Immediately isolate the compromised VPN gateway from the network to prevent lateral movement. 2. Revoke the compromised pre-shared key and generate new authentication credentials. 3. Block all connections from the identified 185.x.x.x IP range at the perimeter firewall. 4. Conduct forensic analysis to determine the scope of the breach and data exposure. 5. Audit all recent VPN connections for unauthorized access patterns. 6. Reset all VPN client configurations with new pre-shared keys. 7. Implement additional monitoring for geographic anomalies and connection patterns. 8. Only restore VPN service after security clearance and implementation of enhanced security controls.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjrc9c03zaobqenrvdmpa0