According to a new report, Chinese threat actors breached North America’s largest transport network in a likely cyber-espionage campaign earlier this year.
The attackers reportedly exploited a zero-day vulnerability in the Pulse Connect Secure remote access product to penetrate the IT systems of New York’s Metropolitan Transportation Authority (MTA) in April.
Although they achieved persistence for several days and compromised three of the transit authority’s 18 computer systems, the MTA claimed that the actors stole no customer or internal data and made no changes to critical systems.
“Our response to the attack, coordinated and managed closely with state and federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through MTA systems,” a statement sent to the New York Times revealed.
The MTA is said to have begun a forensic review following warnings about the zero-day by US authorities.
According to the report, the attack involved two sets of Chinese threat groups. A potential target for the attack was insider information on subway cars and rail networks that could allow the country to dominate the global market.
Pulse Secure customers were warned about the bug in late April. As Infosecurity reported at the time, CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass.
It was being exploited in combination with multiple legacy CVEs in the product from 2019 and 2020 to bypass multi-factor authentication — enabling attackers to install web shells and perform espionage activities.
Brooks Wallace, VP EMEA at Deep Instinct, argued that although the attackers didn’t cause any physical damage to transport networks around New York, they had the opportunity.
“This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyber-attack across the US in the future,” he added.
“Staying at the bleeding edge of innovation is the only way to outpace the attackers. The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A ‘prevention-first’ mindset is also key.”