The FireEye Mandiant team has discovered multiple threat actors exploiting a zero-day vulnerability in Pulse Secure VPN appliances. The attack infrastructure is very sophisticated. The attacks persist in the VPN appliances, even across software updates, they change read-only filesystems to read-write filesystems and use a variety of mechanisms to evade detection.
A variety of attack tools by a variety of threat actors are involved in exploiting the Pulse Secure systems, including four variants of a novel malware family FireEye/Mandiant has named SLOWPULSE. Three of the four variants of SLOWPULSE allow attackers to bypass two-factor authentication mechanisms in the VPN system.
Multiple sites in the USA and European Union have been targeted. There is no information yet as to whether or which industrial or critical infrastructure sites might have been targeted.
Beyond the immediate emergency for all users of the compromised equipment, what does this mean for the bigger picture of industrial cybersecurity? It means two-factor authentication is not the silver bullet that many of us assumed it was. From back in 2015 when stolen remote access credentials enabled an attack on power distribution systems in the Ukraine, through early 2021 when a stolen TeamViewer password enabled an attack on the Oldsmar, Florida water treatment plant, we have been reminded to configure all our industrial remote access systems with multi-factor authentication.
But again, the Pulse Secure VPN zero-day allowed attackers to bypass multi-factor authentication. This is not the first time such a bypass has occurred, but it is the most recent and the best publicized such incident. The lesson for industrial sites is simple – we need remote access protections that are stronger than two-factor authentication if we want to avoid being at risk in th ..