Cyber Incident Victim: US financial entity
Date:
Aug 2019
Location:
United States of America
Summary
A state-sponsored threat actor exploited a critical vulnerability in Pulse Secure VPN servers to breach a US financial entity's research network, gaining unauthorized access through directory traversal and obtaining plaintext login credentials. The attackers leveraged buffer overflow and command injection techniques to infiltrate the organization's Active Directory, harvesting user credentials but refraining from data exfiltration or establishing persistence mechanisms. This incident, attributed to sophisticated nation-state tactics, was part of broader exploitation campaigns targeting unpatched systems, enabling credential theft even after vulnerability remediation through compromised authentication materials. The intrusion highlighted risks associated with exposed VPN vulnerabilities facilitating initial network access for advanced adversaries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, attackers exploited a critical vulnerability (CVE-2019-11510) in Pulse Secure VPN servers to breach the research network of a US financial entity. The flaw allowed unauthenticated remote attackers to read sensitive files containing user credentials via specially crafted URIs. The intrusion involved directory traversal techniques to access a file storing login credentials in plain text. Attackers further leveraged buffer overflow and command injection vulnerabilities to escalate access, ultimately compromising the entity's Active Directory to harvest user credentials. The FBI assessed that the attackers did not exfiltrate data or deploy persistence mechanisms within the compromised environment. This incident coincided with a separate breach of a US municipal government network in the same month, where attackers enumerated user accounts, exfiltrated host configuration data, and collected session identifiers. Based on the sophistication of these Tactics, Techniques, and Procedures (TTPs), the FBI attributed both intrusions to unidentified nation-state actors.
The FBI issued a flash alert confirming these attacks were part of ongoing exploitation of CVE-2019-11510 since August 2019, with threat actors continuing to leverage stolen credentials even after organizations patched vulnerable systems. While the financial entity breach did not result in data compromise or ransomware deployment, the incident highlighted risks associated with unpatched VPN infrastructure. The US Cybersecurity and Infrastructure Security Agency (CISA) had previously issued alerts urging organizations to patch affected Pulse Secure VPN servers amid widespread exploitation. Security researchers identified 3,328 globally exposed unpatched servers, with the highest concentration in the US. The FBI gathered indicators of compromise from both breaches and warned that unmitigated vulnerabilities could facilitate follow-on attacks, including ransomware propagation as demonstrated by the December 2019 Sodinokibi ransomware attack on Travelex, which stemmed from unpatched Pulse Secure servers. Iranian cyber actors were separately noted in FBI advisories as active exploiters of the same vulnerability, though no direct attribution was made in these specific incidents.