Critical infrastructure implications of the Pulse Secure multi-factor authentication bypass
The FireEye Mandiant team has discovered multiple threat actors exploiting a zero-day vulnerability in Pulse Secure VPN appliances. The attack infrastructure is very sophisticated. The attacks persist in the VPN appliances, even across software updates, they change read-only filesystems to read-write filesystems and use a variety of mechanisms to evade detection.
A variety of attack tools by a variety of threat actors are involved in exploiting the Pulse Secure systems, including four variants of a novel malware family FireEye/Mandiant has named SLOWPULSE. Three of the four variants of SLOWPULSE allow attackers to bypass two-factor authentication mechanisms in the VPN system.
Multiple sites in the USA and European Union have been targeted. There is no information yet as to whether or which industrial or critical infrastructure sites might have been targeted.
Beyond the immediate emergency for all users of the compromised equipment, what does this mean for the bigger picture of industrial cybersecurity? It means two-factor authentication is not the silver bullet that many of us assumed it was. From back in 2015 when stolen remote access credentials enabled an attack on power distribution systems in the Ukraine, through early 2021 when a stolen TeamViewer password enabled an attack on the Oldsmar, Florida water treatment plant, we have been reminded to configure all our industrial remote access systems with multi-factor authentication.
But again, the Pulse Secure VPN zero-day allowed attackers to bypass multi-factor authentication. This is not the first time such a bypass has occurred, but it is the most recent and the best publicized such incident. The lesson for industrial sites is simple – we need remote access protections that are stronger than two-factor authentication if we want to avoid being at risk in the next two-factor breach.
The secure remote access technology that the world’s most secure industrial sites use is unidirectional remote screen view technology. Unidirectional gateway hardware and software pushes screen images to external users as a video feed viewable in standard web browsers. Nothing gets back into industrial networks through the gateway hardware. To make changes to protected systems, remote experts simply pick up the phone and talk to an engineer on the inside of the industrial network, giving advice to the engineer while watching the video feed.
More generally, the Pulse Secure incident is an example of the second law of SCADA security – “all software can be hacked.” All software has defects after all, some of which are security vulnerabilities. Some of those vulnerabilities we know about and we have taken action to mitigate, and some (zero days) we do not yet know about, but our enemies do.
The second law applies to all software, including VPN software, two-factor authentication software and, for that matter, unidirectional remote screen view software. The difference with remote screen view software is that even if the software is compromised, the unidirectional hardware is still physically unable to send any attack information back into protected industrial networks. Even if the software is hacked, the hardware saves us.
Secure industrial sites do use software-based protections, yes – lots of them. But these sites also use physical, hardware-based unidirectional protections. This is because neither damaged equipment, nor lost production, nor public casualties from contaminated drinking water, can ever be “restored from backups.” Software protection is necessary for important industrial sites but is not sufficient.
The world will be a safer place when more industrial sites are protected with unidirectional security gateways.
For more detail on unidirectional remote access choices, please download Robust OT Security – Enterprise Visibility with Disciplined Control.
For more examples of advanced attacks on industrial control systems, please download The Top 20 Cyber Attacks on Industrial Control Systems.