itman 1,749 Posted April 22, 2021 Share Posted April 22, 2021 (edited) CISA just published the following article, 'CISA Identifies SUPERNOVA Malware During Incident Response.' I will just quote from the notable part: Quote Description From at least March 2020 through February 2021, the threat actor connected to the entity via the entity’s Pulse Secure VPN appliance (External Remote Services [T1133]). The threat actor connected via the U.S.-based residential IP addresses listed below, which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.) 207.89.9[.]153 24.140.28[.]90 24.117.18[.]111 The threat actor authenticated to the VPN appliance through several user accounts (Valid Accounts [T1078]), none of which had multi-factor authentication (MFA) enabled. (CISA does not know how the threat actor initially obtained these credentials.) Once authenticated to the VPN appliance, the threat actor initiated a VPN connection to the environment (External Remote Services [T1133]). The media access control (MAC) address of the threat actor’s machine as recorded in the VPN appliance logs indicates use of a virtual machine. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a Bottom line - hack residential routers to masquerade as company employees and "you're good to go" as far as access to corp. network. Edited April 22, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,749 Posted April 22, 2021 Author Share Posted April 22, 2021 (edited) Related. Multiple APT Groups Exploit Critical Pulse Secure Zero-Day Quote Pulse Secure customers have been urged to take immediate steps to mitigate a critical zero-day vulnerability in the popular VPN platform, after researchers revealed multiple APT groups are targeting it. CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass vulnerability in Pulse Connect Secure. It’s being used in combination with multiple legacy CVEs in the product from 2019 and 2020 to compromise victims in defense, government, financial and other organizations around the world, according to Mandiant. “Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” it said in an analysis of one threat group. https://www.infosecurity-magazine.com/news/multiple-apt-groups-exploit-pulse/ Edited April 22, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts