The intrusion into Metropolitan Transportation Authority (MTA) systems in New York City Wednesday happened through a Pulse Secure zero day leveraged by Chinese threat actors.
According to published reports, the MTA’s computer systems were penetrated in April, exposing vulnerabilities in the transportation network. A follow-up investigation by Mandiant found that the hackers did not gain access to the systems that control the trains, and MTA officials said rider safety was not at risk and the personal data of riders was not compromised.
However, the attackers exploited latent vulnerabilities in the Pulse Secure VPN software in use by the MTA, which allowed them to bypass authentication and execute code remotely. The attackers used the access to plant web shells on the VPN servers in MTA's environment.
Michael Isbitski, technical evangelist at Salt Security, said security pros should refer to the advisories that went out last week around Pulse Secure VPNs. He said while some of the older vulnerabilities point towards issues in API-related services, this latest reported zero day looks to have targeted file sharing and collaboration services within the VPN software.
“It's possible the attackers used a complex attack chain and combined exploits of vulnerabilities which would reinforce Pulse's statement about the older, fixed issues,” Isbitski said. “Pulse also provided a tool for organizations to use to validate whether their VPN servers are vulnerable.”
Isbitski added that the MTA and Mandiant said they used "multi-layered security," which implies segmented network environments or other infrastructure controls to limit the blast radius of the attack. “Based on what they uncovered during the audit, no customer or employee data was leaked and no other systems outside of the VPN servers were adversely impacted,” he added.
News of the breach had some security experts concerned that the bad threat actors with alleged ties to the Chinese government could be planning a future, more insidious campaign.
An attack on the MTA that would successfully take down its systems could cause significant disruptions to the lives of millions of people who depend on the public transit system in New York, said Robert Boudreaux, field chief technology officer of New York-based Deep Instinct.
“If they had gained access [to systems that control train operations], then much of New York’s transportation would have come to a standstill and the consequences of this would have been disastrous,” Boudreaux said. “Nation-states have formed small armies under strict discipline to focus on stealing money, government secrets and being disruptive. This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyberattack across the U.S. in the future.”
In unrelated transportation news that involved cybersecurity, there were reports on Wednesday that ransomware actors attacked the ferry system that serves popular vacation spots at Martha’s Vineyard and Nantucket in Massachusetts.