A hacker disclosed a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.
A hacker disclosed a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.
According to the copy of the list obtained by ZDNet from threat intelligence firm KELA, the list includes:
- IP addresses of Pulse Secure VPN servers
- SSH keys for each server
- Pulse Secure VPN server firmware version
- A list of all local users and their hash codes
- Admin account information
- Last VPN logins, including usernames and clear text passwords
- VPN session cookies
The security researcher also noted that all the Pulse Secure VPN servers in the list were operating a firmware version that is vulnerable to the CVR-2019-11510 flaw.
The vulnerability CVE-2019-11510 in Pulse Connect Secure is a critical arbitrary file read flaw.
Bank security believes that the hacker who compiled this list scanned the entire internet IPv4 Internet address space for Pulse Secure VPN servers. Further, utilised an exploit for the CVE-2019-11510 vulnerability to gain entry to systems, dump server details including usernames and passwords, and then obtained all the information in one central repository.
The vulnerability could be easily exploited by using publicly available proof-of-concept code. As per the information present in the list, the attackers scanned the internet for Pulse Secure VPN servers between July 24 and July 8, 2020.
Even though the companies patch up their VPN servers, they must also change passwords with the utmost urgency to further prevent the hackers from taking over devices and then spreading to their internal networks.
Back in August 2019, researchers from BadPackets analysed the Pulse Secure VPN endpoints vulnerable to the VE-2019-11510, using the online scanning service BinaryEdge. The researchers found 41,850 Pulse Secure VPN endpoints exposed online, out of which 14,528 of them were susceptible to CVE-2019-11510. Most of the vulnerable hosts were in the U.S. (5,010), followed by Japan (1,511), the U.K. (830) and Germany (789).
“Making the matter worse, the list had been shared on a hacker forum that is frequented by multiple ransomware gangs. For example, the REvil (Sodinobiki), NetWalker, Lockbit, Avaddon, Makop and Exorcist ransomware gangs have threads on the same forum, and use it to recruit members (developers) and affiliates (customers), ” reported ZDNet.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?