Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers

ZDNet reported in exclusive that a list of passwords for 900+ enterprise VPN servers has been shared on a Russian-speaking hacker forum.

ZDNet has reported in exclusive that a list of plaintext usernames and passwords for 900 Pulse Secure VPN enterprise servers, along with IP addresses, has been shared on a Russian-speaking hacker forum.

ZDNet has obtained a copy of the list with the help of threat intelligence firm KELA and verified confirmed the authenticity of the data.

The list includes:

• IP addresses of Pulse Secure VPN servers
• Pulse Secure VPN server firmware version
• SSH keys for each server
• A list of all local users and their password hashes
• Admin account details
• Last VPN logins (including usernames and cleartext passwords)
• VPN session cookies

According to Bank Security, all the Pulse Secure VPN servers included in the list were vulnerable to the CVE-2019-11510 flaw.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerability could be easily exploitable by using publicly available proof-of-concept code.

In august 2019, researchers from BadPackets analyzed the number of Pulse Secure VPN endpoints vulnerable to the CVE-2019-11510. Using the online scanning service BinaryEdge the researchers found 41,850 Pulse Secure VPN endpoints exposed online, 14,528 of them vulnerable to CVE-2019-11510.

Most of the vulnerable hosts were in the U.S. (5,010), followed by Japan (1,511), the U.K. (830) and Germany (789).

The researchers also analyzed the distribution of the vulnerable hosts by industry and discovered that the flaw affects hosts in:

According to BadPacket, 677 out of the 913 unique IP addresses found in the list were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 immediately after the exploit was made public in 2019.

• U.S. military, federal, state, and local government agencies
• Public universities and schools
• Hospitals and health care providers
• Electric utilities
• Major financial institutions
• Numerous Fortune 500 companies

Likely the threat actors who compiled this list scanned the internet for Pulse Secure VPN servers between June 24 and July 8, 2020, and exploited the CVE-2019-11510 vulnerability to gather server details.

Companies on the list have to update their Pulse Secure servers and of course, change their passwords.

ZDNet researchers pointed out that ransomware operators could use the leaked credentials to target large enterprise.

“Making matters worse, the list has been shared on a hacker forum that is frequented by multiple ransomware gangs. For example, the REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop, and Exorcist ransomware gangs have threads on the same forum, and use it to recruit members (developers) and affiliates (customers).” reported ZDNet.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]