China-linked attackers breached Metropolitan Transportation Authority (MTA) using Pulse Secure zero-day

China-linked APT breached New York City’s Metropolitan Transportation Authority (MTA) network in April using a Pulse Secure zero-day.

China-linked threat actors breached the network of the New York City’s Metropolitan Transportation Authority (MTA) network exploiting a Pulse Secure zero-day. The intrusion took place in April, but attackers did not cause any damage because they were not able to gain access to MTA train control systems. The Authority addressed the issue the day after Pulse Secure and US CISA issued an advisory in April to warn of the active exploitation of the flaw in the wild.

The security breach was the third cyberattack on the transit network in recent years, officials told The New York Times.

“The breach was the third — and most significant — cyberattack on the transit network, North America’s largest, by hackers thought to be connected to foreign governments in recent years, according to transit officials.” reported The New York Times. “The M.T.A. is one of a growing number of transit agencies across the country targeted by foreign hackers and the breach comes during a surge in cyberattacks on critical American infrastructure, from fuel pipelines to water supply systems.”

Hackers did not access to employee or customer information, said Rafail Portnoy, MTA’s Chief Technology Officer.

“The Metropolitan Transportation Authority (MTA) quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” said Portnoy. “Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat,”

The flaw, tracked as CVE-2021-22893 is an authentication bypass issue that unauthenticated users could exploit to perform remote arbitrary file execution on the Pulse Connect Secure gateway

“A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.” reads the advisory published by Pulse Secure.

The vendor also released a tool that can scan Pulse Secure VPN servers for signs of compromise for CVE-2021-22893 or other previous vulnerabilities.

According to coordinated reports published by FireEye and Pulse Secure in April, two hacking groups have exploited the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defense contractors and government organizations worldwide. One of the two hacking groups was a China-linked cyber espionage group.

The attacks were first discovered by the cybersecurity firm FireEye early this year, when the Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks.

“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.” reads the report published by FireEye.

The attacks began in August 2020, when a group tracked by FireEye as UNC2630, began targeting US defense contractors and European organizations. Threat actors leveraged Pulse Secure VPN bugs disclosed in 2019 and 2020, along with a new zero-day tracked as CVE-2021-22893

Starting from October 2020, a second group tracked by FireEye as UNC2717 started exploiting the same zero-day flaw to install the following malware on the networks of government agencies in Europe and the US:

• HARDPULSE;
• QUIETPULSE;
• PULSEJUMP.

In March 2021, FireEye investigated a separate intrusion attributed to the UNC2717 threat actors that used RADIALPULSE, PULSEJUMP, and HARDPULSE to penetrate a European organization. These malware strains have many similarities with other code families used by UNC2630.

Anyway, it is not clear if the two groups are linked, but experts speculate the involvement of other groups.

“Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors” continues the report.

FireEye revealed that the analysis of internal data confirmed that UNC2630 group was China-linked cyber espionage group linked to the APT5.

US Cybersecurity and Infrastructure Security Agency (CISA) also issued an emergency directive urging federal agencies to address the vulnerability within two days, the agency suggests to disable the Windows File Share Browser and Pulse Secure Collaboration features.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Metropolitan Transportation Authority)

[adrotate banner=”5″]

[adrotate banner=”13″]