Pulse Secure Zero Day Used to Attack NYC Metropolitan Transportation Authority

Zero-day attacks can be prevented by using intense network security infrastructure and protocols, something New York City’s Metropolitan Transportation Authority (MTA) apparently lacked after Chinese-backed hackers managed to breach them using the Pulse Secure VPN Zero-day vulnerability. Fortunately, there was no data loss nor evidence of access to the systems that actually control the transportation fleet.

It’s technically warfare when threat actors target systems such as government agencies, utilities and transportation systems. Hence the importance of intense cybersecurity systems to avoid or prevent zero-day attacks. Fortunately, one day after CISA alerted the public of the Pulse Secure Zero-Day, the MTA managed to mitigate the problem. The MTA happens to be the largest US transportation network used by over 15 million people to travel across New York City.

“…The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,”

–Rafail Portnoy, MTA Chief Technology Officer

And the evidence of cyberwarfare continues as Apparently, this was not an isolated incident as the MTA has been a target for several years. Not just the MTA but dozens of other US and European organizations according to security firm FireEye, suspecting Chinese government involvement.

“Espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities… Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan.”

–Fireye

As for the Pulse Secure VPN Zero Day vulnerability, security updates were issued by Pulse Secure last May as well as a tool to help organizations check for compromised files on Pulse Secure appliances. The US Cybersecurity and Infrastructure Security Agency (CISA) also ordered agencies using Pulse Secure to mitigate the security flaw by disabling the Pulse Secure Collaboration and Windows File Share Browser features.

In related news, China is also suspected of spying on ASEAN-member governments through the use of spyware on Windows and Office-based systems. According to Check Point Systems, attackers managed to install backdoors on victim’s machines using Microsoft Office exploits. The targets are members of the countries’ respective foreign affairs ministries and is implemented using tainted attachments in emails from people impersonating various staff.

“… the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor on victim’s machines… All the evidence points to the fact that we are dealing with a highly-organized operation that placed significant effort into remaining under the radar… All in all, the attackers, who we believe to be a Chinese threat group, were very systematic in their approach.”

— Lotem Finkelsteen, Head of threat intelligence, Check Point Research

Checkpoint points to the Chinese APT group SharpPanda as the culprit behind these stealth attacks which have been going on since 2017.