FBI Says nation-state attackers are involved in US notable entities’ networks hacked
FBI said in a recent Flash Security alert that he networks of a US municipal government and a US financial entity have been breached due to CVE-2019-11510 vulnerability affecting Pulse Secure VPN servers.
The US Cybersecurity and Infrastructure Security Agency or CISA previously alerted organizations about this vulnerability and ongoing attacks to exploit the flaw and recommended them to patch their Pulse Secure VPN servers on January 10.
The bugs allow attackers to send specifically crafted URLs to connect vulnerable devices and gain unauthorized access and to read the sensitive files containing users credentials them from their servers remotely. They can use to control the infected system later on.
On an un-patched system, “allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),” security researcher Kevin Beaumont explained.
US entities have breached in the Pulse Secure VPN attacks
The FBI says, unknown attackers have used the CVE-2019-11510 vulnerability to exploit US entities since August 2019. In August, attackers gained access to the network of a US financial entity and also breached a US municipal government network using the stated vulnerability. As per FBI, some nation-state actors were involved in these two attacks. However, this is not clear if these are isolated incidents.
US government got the network hack
With the attack of the US municipal government network took place in Mid Aug 2019, attackers were able to enumerate and exhilarate users’ accounts, host configuration information and session identifiers that could allow to gain access to the internal network. There is a possibility that after breaking the network, the attackers gained attack to the Active Directory and harvesting the users’ credentials such as usernames and passwords for the VPN client. Following to attempting to enumerate the users’ credentials and gaining access to the other network segments, they were only able to exploit those segments on the network using single-factor authentication only.
“The intruder(s) attempted to access several Outlook web mail accounts but were unsuccessful due to the accounts being on separate domains
requiring different credentials not obtained by the intruder(s).
While the intruder(s) performed additional enumeration, there was no evidence that any data was compromised or exfiltrated, and the intruder(s) seemingly did not install any persistence capability or foothold in the network.”
Possibly Iran connection
A private Industry Notification dealing Iranian Cyber tactics and techniques said, “information indicating Iranian cyber actors have attempted to exploit Common Vulnerability and Exposures (CVEs) 2019-11510 [..]”
“The FBI assesses this targeting, which has occurred since late 2019, is broadly scoped and has affected numerous sectors in the United States and other countries.
The FBI has observed actors using information acquired from exploiting these vulnerabilities to further access targeted networks, and establish other footholds even after the victim patched the vulnerability.”
Mitigation measures
FBI advises Municipalities to review this National Security Agency (NSA) cybersecurity advisory on mitigating the VPN vulnerabilities. They also recommend taking the following measures:
- Be alert to and immediately install patches released by the vendors, especially for web-facing appliances;
- Block or monitor the malicious IP addresses above, as well as any other IP addresses conducting remote logins at odd hours;
- Reset credentials before reconnecting the upgraded devices to an external network;
- Revoke and create new VPN server keys and certificates;
- Use multifactor authentication as a measure of security beyond passwords, which allows you to differentiate a user from an attacker;
- Review your accounts to ensure adversaries did not create new accounts;
- Implement network segmentation where appropriate;
- Ensure that administrative web interfaces are not accessible from the internet
Un-patched Pulse Secure VPN servers are still targeting
NSA, on October 2019, “Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.”
Bad Packets security firm, on 25, Aug 2019, discovered 14,528 un-patched Pulse Secure servers that today yielded to 3, 328 with the US being the first on this leaderboard having 1000 un-patched VPN servers.
Scott Gordon (CISSP), Pulse Secure Chief Marketing Officer, told that attackers are actively exploiting “unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”