FBI said in a flash security alert that nation-state actors have breached the networks of a US municipal government and a US financial entity by exploiting a critical vulnerability affecting Pulse Secure VPN servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) previously alerted organizations on January 10 to patch their Pulse Secure VPN servers against ongoing attacks trying to exploit the flaw tracked as CVE-2019-11510.
This bug enables unauthenticated remote attackers to send a specially crafted URIs to connect to vulnerable servers and read sensitive files containing user credentials. These can later be used to take control of an organizations' systems and more.
On unpatched systems, the vulnerability "allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords)," security researcher Kevin Beaumont explained.
US entities breached in Pulse Secure VPN attacks
The FBI says that unidentified threat actors have used the CVE-2019-11510 flaw "to exploit notable US entities" since August 2019.
In August 2019, attackers were able to gain access to a US financial entity’s research network by exploiting servers unpatched against CVE-2019-11510.
During the same month, a US municipal government network was also breached following an attack that exploited the same vulnerability.
Based on the sophistication of the Tactics, Techniques, and Procedures (TTPs) used in the two attacks, "the FBI believes unidentified nation-state actors are involved in both compromises; however, it remains unclear if these are isolated incidents."
US govt network hacked
The attack that targeted and compromised the US municipal government network took place in mid-August 2019 according to the FBI.
"In this case, the operators were able to enumerate and exfiltrate user accounts, host configuration information, and session identifiers that could allow them to gain further access to the internal network.
At this time, the FBI is continuing to gather indicators of compromise on the incident."
Attackers infiltrate US financial entity's research network
"The intruder(s) remotely exploited a Pulse Secure VPN appliance by using CVE-2019-11510," the flash alert says. "The vulnerability in Pulse Secure allowed directory transversal and access to a file where login credentials were written in plain text. In addition, the Pulse Secure appliance may have been vulnerable to a buffer overflow and command injection.
After breaching the network, the nation-state actors gained access to the Active Directory, harvesting and exfiltrating user credentials (usernames and passwords) for the VPN client
Following attempts to enumerate and gaining access to other network segments, the hackers were only able to infiltrate the exploited segment which was the only one on the network using single-factor authentication.
"The intruder(s) attempted to access several Outlook web mail accounts but were unsuccessful due to the accounts being on separate domains
requiring different credentials not obtained by the intruder(s).
While the intruder(s) performed additional enumeration, there was no evidence that any data was compromised or exfiltrated, and the intruder(s) seemingly did not install any persistence capability or foothold in the network."
Possible Iran connection and mitigation measures
While the FBI did not directly connect these attacks to Iranian-backed hackers, a Private Industry Notification (PIN) detailing Iranian Cyber Tactics and Techniques shared a day later mentions "information indicating Iranian cyber actors have attempted to exploit Common Vulnerability and Exposures (CVEs) 2019-11510 [..]"
"The FBI assesses this targeting, which has occurred since late 2019, is broadly scoped and has affected numerous sectors in the United States and other countries.
The FBI has observed actors using information acquired from exploiting these vulnerabilities to further access targeted networks, and establish other footholds even after the victim patched the vulnerability."
Municipalities are advised by the FBI to review this National Security Agency (NSA) cybersecurity advisory on mitigating VPN vulnerabilities.
They're also recommended to take the following measures to defend against the impact of potential attacks targeting domains connected to municipality networks, including "local infrastructure managing emergency services, transportation, or elections:"
• Be alert to and immediately install patches released by the vendors, especially for web-facing appliances;
• Block or monitor the malicious IP addresses above, as well as any other IP addresses conducting remote logins at odd hours;
• Reset credentials before reconnecting the upgraded devices to an external network;
• Revoke and create new VPN server keys and certificates;
• Use multifactor authentication as a measure of security beyond passwords, which allows you to differentiate a user from an attacker;
• Review your accounts to ensure adversaries did not create new accounts;
• Implement network segmentation where appropriate;
• Ensure that administrative web interfaces are not accessible from the internet.
Ongoing attacks targeting unpatched Pulse Secure VPN servers
According to an NSA advisory from October 2019, "Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."
While on August 25, 2019, security firm Bad Packets discovered 14,528 unpatched Pulse Secure servers, a scan from today yielded 3,328 results with the U.S. being the first on the "leaderboard" with over 1,000 unpatched VPN servers.
Week 21 CVE-2019-11510 Scan Results
— Bad Packets Report (@bad_packets) January 17, 2020
• Vulnerable Pulse Secure VPN servers detected: 3,328
Our latest vulnerability scan results are freely available for authorized government CERT, CSIRT, and ISAC teams.
Submit request here: https://t.co/vlS08kyQo2#cybersecurity #threatintel
The two US entities the FBI says were compromised are not the only examples of such successful attacks targeting CVE-2019-11510.
While not yet officially confirmed, a high-profile case could be that of the international foreign currency exchange Travelex which was hit by Sodinokibi ransomware on December 3 after not patching their Pulse Secure VNP servers, with the attackers asking for a $3 million ransom.
Travelex was one of the companies Mursch warned of having vulnerable servers in September 2019. Travelex did not reply to his email at the time.
Scott Gordon (CISSP), Pulse Secure Chief Marketing Officer, told BleepingComputer that attackers are actively exploiting "unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers."
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now