From VPN Compromise to Ransomware: 5 Real-World Incident Response Scenarios

CERT Intrinsec presents five real-world VPN compromise scenarios observed during incident response engagements — ranging from early vulnerability detection and containment to credential harvesting (including NTDS dumps), lateral movement and full ransomware intrusions — illustrating exploitation of vulnerabilities (e.g., CVE-2024-55591, CVE-2024-40711 and references to CVE-2019-13379), weak configurations and exposed management interfaces; the paper concludes with practical recommendations for patch management, MFA, access reduction, monitoring (centralised logs, IOCs, EASM), forensic readiness and rebuilding procedures.