Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems
Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.
Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.
We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.
With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.
Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.