KKeensafeBreach & Attack Sim
← All scenarios

bas-004 — Leaked VPN credential → internal access

critical · risk 90 · Identity

CTI feed surfaced vpn.user@keensafeglobalbank.com:Summer2025!. Combined with no MFA on legacy VPN this would yield direct internal access.

MITRE & OWASP

T1078.004 Valid Accounts: CloudT1133 External Remote Services A07:2021 Identification and Authentication Failures

Preconditions

  • CTI feed lkc-001 active

Attack path

  1. attacker — Reuse leaked credential against VPN portal
  2. attacker — Reach internal hosts: jenkins, vault, kafka
  3. attacker — Enumerate Jenkins jobs / secrets

Run

Running emits evidence JSON; no real exploitation runs.

View latest evidence 
(no output yet — click Simulate)

Remediation

Force password rotation; enforce FIDO2; legacy-VPN deny.