Skip to content

Hackers compromise passwords for more than 900 enterprise VPN servers

hackers publish passwords for over 900 enterprise VPN servers on a hackers' forum

On August 4, a hacker published a list of plaintext usernames and passwords together with IP addresses for at least 900 Pulse Secure VPN enterprise servers. The list appeared on a Russian-speaking hacker forum frequented by many ransomware gangs.

A copy of that list obtained with the assistance of threat intelligence firm KELA was discovered to be authentic with the help of many sources in the cyber-security space. Based on an extensive review, the list features:

  • VPN session cookies
  • IP addresses acquired from Pulse Secure VPN servers
  • Last VPN logins with usernames and cleartext passwords
  • Pulse Secure VPN server firmware version
  • Admin account details
  • A list with all local users and their password hashes
  • SSH keys for every server

A threat intelligence analyst specializing in financial crime, Bank Security, spotted the list and made interesting observations about its content. The security researcher discovered that all of the Pulse Secure VPN servers on the list ran a firmware version vulnerable to the CVE-2019-11510 vulnerability.

Bank Security says that the hacker scanned the whole internet IPv4 address space for Pulse Secure VPN servers. Then, they exploited the CVE-2019-11510 vulnerability to access systems, dump server details, and then cumulated all that information in one central repository.

The List

The timestamps in the list, dates of the scans, and the date this list was compiled indicate that the incident happened between June 24 and July 8, 2020. Reporters reached out to a US-based threat intelligence company, Bad Packets, after the list appeared in public. Bad Packets said:

“Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year.”

The list indicates that the 677 firms did not enhance their security measures since Bad Packet’s first scan in 2019 and the June 2020 scans done by the hackers.

Companies should patch their Pulse Secure servers and change passwords to prevent hackers from exploiting leaked credentials to capture devices and spread their internal networks.

Pulse Secure VPN servers act as access gateways into corporate networks. They enable staff to connect remotely to the internal applications from across the internet.

If compromised, the devices enable hackers to easily access a company’s entire internal network. That is the primary reason why ransomware gangs and APTs have targeted these systems previously.

The list was shared on a hacker forum frequented by many ransomware gangs; which makes it worse for the involved companies.

For instance, Avaddon, Makop, the REvil (Sodinokibi), Exorcist, Lockbit, and NetWalker ransomware gangs have threads on this forum as well. They use the platform to recruit affiliates (customers) and members (developers).

Most of the gangs perform intrusions into corporate networks. They do it by leveraging network edge devices like Pulse Secure VPN servers. Then, they deploy their ransomware payload and make hefty ransom demands.

This publication is a free download. Thus, it is a literal DEFCON 1 danger level. It affects companies that are yet to patch their Pulse Secure VPN over the last 12 months. The gangs active on the forum may use the list for future attacks.

Bank Security recommends that all companies must patch their Pulse Secure VPNs and change passwords urgently.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account? Sign In

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.