On August 4, a hacker published a list of plaintext usernames and passwords together with IP addresses for at least 900 Pulse Secure VPN enterprise servers. The list appeared on a Russian-speaking hacker forum frequented by many ransomware gangs.
A copy of that list obtained with the assistance of threat intelligence firm KELA was discovered to be authentic with the help of many sources in the cyber-security space. Based on an extensive review, the list features:
- VPN session cookies
- IP addresses acquired from Pulse Secure VPN servers
- Last VPN logins with usernames and cleartext passwords
- Pulse Secure VPN server firmware version
- Admin account details
- A list with all local users and their password hashes
- SSH keys for every server
A threat intelligence analyst specializing in financial crime, Bank Security, spotted the list and made interesting observations about its content. The security researcher discovered that all of the Pulse Secure VPN servers on the list ran a firmware version vulnerable to the CVE-2019-11510 vulnerability.
Bank Security says that the hacker scanned the whole internet IPv4 address space for Pulse Secure VPN servers. Then, they exploited the CVE-2019-11510 vulnerability to access systems, dump server details, and then cumulated all that information in one central repository.
The timestamps in the list, dates of the scans, and the date this list was compiled indicate that the incident happened between June 24 and July 8, 2020. Reporters reached out to a US-based threat intelligence company, Bad Packets, after the list appeared in public. Bad Packets said:
“Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year.”
The list indicates that the 677 firms did not enhance their security measures since Bad Packet’s first scan in 2019 and the June 2020 scans done by the hackers.
Companies should patch their Pulse Secure servers and change passwords to prevent hackers from exploiting leaked credentials to capture devices and spread their internal networks.
Pulse Secure VPN servers act as access gateways into corporate networks. They enable staff to connect remotely to the internal applications from across the internet.
If compromised, the devices enable hackers to easily access a company’s entire internal network. That is the primary reason why ransomware gangs and APTs have targeted these systems previously.
List published on a forum popular with ransomware gangs
The list was shared on a hacker forum frequented by many ransomware gangs; which makes it worse for the involved companies.
For instance, Avaddon, Makop, the REvil (Sodinokibi), Exorcist, Lockbit, and NetWalker ransomware gangs have threads on this forum as well. They use the platform to recruit affiliates (customers) and members (developers).
Most of the gangs perform intrusions into corporate networks. They do it by leveraging network edge devices like Pulse Secure VPN servers. Then, they deploy their ransomware payload and make hefty ransom demands.
This publication is a free download. Thus, it is a literal DEFCON 1 danger level. It affects companies that are yet to patch their Pulse Secure VPN over the last 12 months. The gangs active on the forum may use the list for future attacks.
Bank Security recommends that all companies must patch their Pulse Secure VPNs and change passwords urgently.