Posted on August 5, 2020 at 12:12 PM
Today, a hacker leaked the plaintext usernames, passwords, and IP addresses of over 900 Pulse Secure VPN enterprise servers on a darknet forum. Threat intelligence firm, KELA, verified the originality of the list using different sources in the cybersecurity community.
Based on the list collected by KELA, the contents include admin account details, a list of all local users and their password hashes, and Pulse Secure VPN server firmware version. The list also includes VPN session cookies, Last VPN logins (including cleartext passwords and usernames), as well as IP addresses of Pulse Secure VPN servers.
Bank Security, a threat intelligence analyst that specializes in online crime, spotted the list today and observed something interesting about its content. The security researcher stated that the entire Pulse Security VPN servers within the list run a firmware version susceptible to the CVE-2019-11510 vulnerability.
CVE-2019-11510 vulnerability exploited
According to Bank security, the hacker that documented the list and released it online scanned the whole IPv4 address space for the Pulse Secure VPN servers. The hackers then utilized exploit for the CVE-2019-11510 vulnerability to infiltrate the servers and unload server details in the system. The details include usernames and passwords. After dumping the server details, the hackers picked all the information using a single repository.
According to the timestamps available on the list, the dates the hacker compiled the list seem to be from June 24 and July 8, 2020.
Another US-based threat intelligence firm known as Bad Packets has also been monitoring the internet to find out susceptible Pulse Secure VPN servers since August last year. That coincided with the time the CVE-2019-11510 vulnerability was exposed to the public.
677 firms didn’t patch system from last year
Bad Packets chief research officer and co-founder stated that Bad Packets CTI scans detected about 677 of the 913 unique IP addresses.
“Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510,” he said.
The list shows that about 677 firms did not patch up their servers since Bad Packet did its first scan last year, as well as the scan the company carried out in June this year.
Even when the firms update their Pulse Secure Servers, they will require changing passwords to prevent hackers from taking advantage of leaked credentials. They could take over devices and infiltrate into their internet networks.
The updates and the change of passwords are very important. The Pulse VPN servers are used as access gateways to corporate networks for staff to easily connect remotely to internal applications across the internet.
If the types of devices are compromised it may give hackers easy access to the firm’s total internal network. That’s why ransomware and APTs gangs have been targeting the systems in the past.
Ransomware gangs share the list on forums publicly
The hackers decided to upload the stolen Pulse VPN server list on the darknet forum, which is frequently visited by ransomware groups. For instance, the Exorcist ransomware gangs, Makeup, Avaddon, Lockbit, NetWalker, and the REvil ransomware groups have different threads on the same darknet forum. They also used the same platform to recruit affiliates (customers) and members (developers).
Companies need to patch their servers
Several of the groups carry out intrusions and infiltrate corporate networks by taking advantage of network vulnerabilities and network edge devices such as Pulse Secure VPN servers. After gaining access to the servers, they deploy their ransomware payload and ask for ransom demands.
Most of these ransomware gangs have been involved in several ransom demands after stealing sensitive information from corporate organizations. Their activities have even increased during this COVID-19 period where most workers had no choice than to work from home.
However, the hackers responsible for this list published it as a free download on the forum. Most threat intelligence firms see this as a DEFCON 1 danger level for any firm that couldn’t update their Pulse Secure VPN servers over the past year. That’s because most of the active ransomware gangs may decide to make use of the list when launching future attacks.
According to Bank Security, firms should update and patch their servers as soon as possible to avoid being victims of future attacks by other ransomware groups.