APTs Go Teleworking: The Rise of VPN Exploits

Presented at Black Hat Europe 2021, Nov. 10, 2021, 2:30 p.m. (30 minutes)

Since the COVID-19 pandemic, workforces rely even more on VPN technologies for remote access into private networks.<br><br>Pulse Secure by Ivanti is a leading VPN technology. Enterprise VPN devices often are deployed at the intersection between trusted and untrusted networks and secured using multi-factor authentication and integration with Active Directory.<br><br>In April 2021, Mandiant detailed the misuse of Pulse Secure VPN devices, including by suspected Chinese-nexus threat actors for cyber espionage. Mandiant observed the use of a zero-day CVE 2021-22893 to compromise fully patched Pulse Secure appliances, as well as re-use of previously disclosed vulnerabilities.<br><br>Attackers not only gained remote control over VPN devices at a wide variety of victims across the United States and Europe but also:<br>1) Deployed a total of 16 unique malware families observed in the wild, exclusively designed to operate on Pulse Secure VPN appliances, including a variety of webshells and modifications to weaken cryptographic libraries<br>2) Bypass multi-factor authentication and perform credential theft<br>3) Employed anti-forensics and removal of VPN device log files, including altering deployed backdoors after Mandiant's public disclosure in April 2021<br>4) Perform lateral movement into private networks, as well as accessing Microsoft 365 public cloud environments or targeting virtual environments using stolen credentials<br><br>As an incident responder advising organizations dealing with these intrusions, this talk focuses on investigation aspects of VPN device compromises:<br>1) Challenges on VPN device compromises and detection of misuse, and why this remained undetected<br>2) Overview of the campaign, malware and the threat actor identified familiar with the Pulse Secure platform, from a European perspective<br>3) Best practices on digital forensics and incident responses, based upon Mandiant's intrusions investigated<br>4) Knowing organizations continue to rely on VPN technology, how do we secure these gatekeepers?

Presenters:

  • Bart Vanautgaerden - Senior Incident Response Consultant, Mandiant
    Bart Vanautgaerden is a Senior Consultant for Mandiant in the European region. As part of the Incident Response team, Mr. Vanautgaerden provides emergency services to clients when a security breach occurs. He also has a focus on clients in governments and international organizations to create incident response management programs, analyzes and tests existing incident response plans, conducts forensic investigations, and provides incident response, threat intelligence and digital forensics training. Mr. Vanautgaerden has extensive computer forensics, computer networking, threat intelligence, incident handling and malware analysis background. With over 20 years of experience in cyber security consulting, financial, government and international organizations environments, Mr. Vanautgaerden has a thorough understanding of network security, malware, computer forensics, and tactics, techniques, and procedures that are leveraged by attackers. Mr. Vanautgaerden entered the cybersecurity field in 2000 and later specialized in computer forensics and incident response from 2005. He has designed and implemented Remote Access VPN solutions and other cyber security solutions in financial, military, governmental and telecom environments. Mr. Vanautgaerden held senior cybersecurity positions in both financial and international organizations, such as NATO Headquarters advising Allies on emerging cyber security threats. Mr. Vanautgaerden is a frequent lecturer and has experience in briefing senior leadership as well as public speaking engagements. He is a holder of CISM, CISA, ISO27001 auditor, Prince2 and CISSP certifications.

Links:

Similar Presentations: