“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
An initial advisory regarding a vulnerability in Pulse VPN servers (CVE-2019-11510) was released on April 24, 2019. The timeline of events since that first advisory include:
Aside from targeting Pulse VPN servers to install REvil ransomware, the FBI reports that unidentified threat actors have used the flaw "to exploit notable US entities" since August 2019. In August 2019, attackers were able to gain access to a US financial entity’s research network by exploiting servers unpatched against CVE-2019-11510. The vulnerability in Pulse Secure allowed directory transversal and access to a file where login credentials were written in plain text. In addition, the Pulse Secure appliance may have been vulnerable to buffer overflow and command injection.
During the same month, a US municipal government network was breached that exploited the same vulnerability. In this case, the threat actors were able to enumerate and exfiltrate user accounts, host configuration information, and session identifiers that enables additional access to the internal network.
Based on the sophistication of the Tactics, Techniques, and Procedures (TTPs) used in the two attacks, "the FBI believes unidentified nation-state actors are involved in both compromises; however, it remains unclear if these are isolated incidents."