Jump to content

The Importance Of Two-Factor Authorization In Corporate Remote Access Environments

itman

By itman
in General Discussion

 Share

Recommended Posts

itman

itman 1,659

Posted
Posted (edited)

CISA just published the following article, 'CISA Identifies SUPERNOVA Malware During Incident Response.' I will just quote from the notable part:

Quote

Description

From at least March 2020 through February 2021, the threat actor connected to the entity via the entity’s Pulse Secure VPN appliance (External Remote Services [T1133]). The threat actor connected via the U.S.-based residential IP addresses listed below, which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.)

  • 207.89.9[.]153
  • 24.140.28[.]90 
  • 24.117.18[.]111

The threat actor authenticated to the VPN appliance through several user accounts (Valid Accounts [T1078]), none of which had multi-factor authentication (MFA) enabled. (CISA does not know how the threat actor initially obtained these credentials.) Once authenticated to the VPN appliance, the threat actor initiated a VPN connection to the environment (External Remote Services [T1133]). The media access control (MAC) address of the threat actor’s machine as recorded in the VPN appliance logs indicates use of a virtual machine.

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

Bottom line - hack residential routers to masquerade as  company employees and "you're good to go" as far as access to corp. network.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

Related.

Multiple APT Groups Exploit Critical Pulse Secure Zero-Day

Quote

Pulse Secure customers have been urged to take immediate steps to mitigate a critical zero-day vulnerability in the popular VPN platform, after researchers revealed multiple APT groups are targeting it.

CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass vulnerability in Pulse Connect Secure.

It’s being used in combination with multiple legacy CVEs in the product from 2019 and 2020 to compromise victims in defense, government, financial and other organizations around the world, according to Mandiant.

“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” it said in an analysis of one threat group.

https://www.infosecurity-magazine.com/news/multiple-apt-groups-exploit-pulse/

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...