Cyber Incident Victim: US municipal government
Date:
Aug 2019
Location:
United States of America
Summary
A US municipal government network was compromised by nation-state actors exploiting a critical vulnerability in Pulse Secure VPN servers, enabling unauthorized access and credential theft. Attackers exfiltrated user accounts, host configurations, and session identifiers, leveraging the flaw to bypass authentication controls and harvest sensitive data. The same threat actors targeted a financial entity using similar techniques, including directory traversal and command injection to access plaintext credentials, though no data theft or persistent access occurred. The FBI attributed the intrusions to sophisticated state-sponsored activity based on observed tactics, noting exploitation of unpatched systems allowed further network infiltration even after initial mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, unidentified threat actors exploited a critical vulnerability (CVE-2019-11510) in Pulse Secure VPN servers to breach the network of a US municipal government. The flaw enabled unauthenticated remote attackers to read sensitive files containing user credentials by sending specially crafted URIs to unpatched systems. Attackers leveraged this access to enumerate and exfiltrate user accounts, host configuration information, and session identifiers from the municipal government’s network. The FBI assessed the Tactics, Techniques, and Procedures (TTPs) used in the intrusion as sophisticated enough to indicate involvement by nation-state actors. This incident occurred concurrently with a separate breach of a US financial entity’s research network, where attackers similarly exploited the same vulnerability to access plaintext credentials and manipulate directory structures. Both breaches were part of a broader campaign targeting organizations with unpatched Pulse Secure VPN systems, with exploit code publicly available through platforms like Metasploit and GitHub since at least January 2020.
The FBI confirmed the municipal government breach in a January 2020 security alert, noting ongoing efforts to gather indicators of compromise. While the attackers harvested credentials and configuration data, there was no evidence they compromised sensitive data or installed persistence mechanisms in this specific intrusion. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) issued alerts urging organizations to patch affected systems, reset credentials, revoke VPN keys, and implement multifactor authentication. The FBI warned that attackers continued using stolen credentials to access networks even after victims applied patches, emphasizing the need for additional measures like network segmentation and blocking malicious IPs. Global scans by Bad Packets revealed 3,328 unpatched Pulse Secure servers remained exposed at the time of the advisory, with the US hosting the highest number of vulnerable systems. The incident underscored risks posed by unmitigated vulnerabilities, as demonstrated by unrelated ransomware attacks like the December 2019 Travelex breach linked to the same flaw.