Cyber Incident Victim: United States government
Date:
Aug 2019
Location:
United States of America
Summary
State actors exploited a critical vulnerability in Pulse Secure VPN servers to breach a US municipal government network and a financial entity's research infrastructure, gaining unauthorized access through unpatched systems. The attackers leveraged the flaw to steal sensitive files containing plaintext credentials, compromise Active Directory accounts, exfiltrate user data and session identifiers, and manipulate host configurations. Sophisticated tactics including directory traversal, buffer overflow exploits, and command injection facilitated credential harvesting and network infiltration, though no data theft or persistent malware deployment occurred in the financial intrusion. The FBI attributed the incidents to unidentified nation-state actors based on technical indicators and operational complexity, noting continued exploitation attempts even after vulnerability patching. Compromised credentials were repurposed for further network access, underscoring systemic risks to unsecured VPN infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, unidentified threat actors exploited a critical vulnerability (CVE-2019-11510) in Pulse Secure VPN servers to breach the networks of a US municipal government and a US financial entity. The flaw allowed unauthenticated remote attackers to read sensitive files containing user credentials by sending specially crafted URIs to vulnerable servers. Attackers compromised the municipal government’s network during this period, enumerating and exfiltrating user accounts, host configuration information, and session identifiers. Simultaneously, they breached the financial entity’s research network using directory traversal techniques to access a file containing plaintext login credentials. The attackers further exploited buffer overflow and command injection vulnerabilities to gain access to the entity’s Active Directory, harvesting user credentials but not compromising data or installing persistence mechanisms. The FBI attributed these intrusions to nation-state actors based on the sophistication of the tactics, techniques, and procedures (TTPs) observed.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on January 10, 2020, urging organizations to patch affected Pulse Secure VPN servers amid ongoing exploitation. The FBI confirmed that attackers continued to leverage compromised credentials to access networks even after victims applied patches. Mitigation efforts included patching vulnerable systems, blocking malicious IP addresses, resetting credentials, revoking VPN keys, implementing multifactor authentication, and enforcing network segmentation. The NSA noted that public exploit code for CVE-2019-11510 was available through Metasploit and GitHub, lowering the barrier for additional attacks. Security researchers identified 3,328 unpatched Pulse Secure servers globally, with the US hosting the majority. The FBI warned that unpatched servers remained susceptible to malware propagation, including Sodinokibi (REvil) ransomware, citing the December 2019 Travelex ransomware incident as a related example. Investigations into the breaches remained ongoing, with the FBI gathering additional indicators of compromise.