Delaware, USA – December 30, 2019 – Financial and telecommunications companies in Eastern Europe and Central Asia were breached by the undefined threat actor in a series of cyberattacks. According to Kaspersky Lab, the cybercriminals are interested in huge sums, they attempted to steal several million dollars from each financial organization, and in the networks of telecoms, they searched for data to access financial information. All these attacks were linked by the tools used and a single entry point – corporate VPN solutions installed in all affected companies. To breach a corporate network, the cybercriminals exploited CVE-2019-11510 (affecting Pulse Secure Pulse Connect Secure software), which allows an unauthorized attacker to read arbitrary files using a specially crafted URI. Tools for exploiting this vulnerability are publicly available and they help attackers to obtain credentials for administrator accounts and access sensitive information.
Having studied the tactics and techniques used, the experts concluded that the attacks were conducted by most likely Russian-speaking gang. Earlier this year Chinese state-sponsored group exploited CVE-2019-11510 to compromise telecommunications and technology companies. You can strengthen your defense with VPN Security Monitor rule pack which helps SIEM to uncover signs of abuse or unauthorized access to the VPN service and enable real-time tracking of VPN connections: https://my.socprime.com/en/integrations/vpn-security-monitor
Rules to detect Pulse Secure Attack CVE-2019-11510 – https://tdm.socprime.com/tdm/info/uYtWrniKw8W7/