Enterprise VPN credentials leaked on hacker forum
A list containing plaintext usernames and passwords along with IP addresses for over 900 VPN servers belonging to Pulse Secure VPN has been published online as well as shared on a hacker forum used by cybercriminals.
As reported by ZDNet who broke the story, the list’s authenticity has been verified by multiple sources in the cybersecurity community and includes IP addresses of Pulse Secure VPN servers, Pulse Secure VPN server firmware versions, SSH keys for all 900 servers, usernames and cleartext passwords, admin account details, VPN session cookies and more.
The threat intelligence firm Bank Security first discovered the list online and then shared it with the news outlet. One of the company’s security researchers noted that all of the VPN servers included in the list were running an older firmware version which is vulnerable to an authentication by-pass vulnerability tracked as CVE-2019-11510.
Researchers at Bank Security believe the hacker scanned all of the IPv4 addresses on the internet looking for Pulse Secure VPN servers and then exploited the vulnerability to gain access to the company’s systems and server details. This information was then collected in a central repository and based on timestamps in the list, the usernames, passwords and server details appear to have been collected between June 24 and July 8.
Pulse Secure VPN data dump
The threat intelligence company Bad Packets has been scanning the web for vulnerable Pulse Secure VPN servers since August of last year when the CVE-2019-11510 vulnerability was made public. ZDNet reached out to the firm regarding the list and its co-founder and chief research officer Troy Mursch provided further insight on the matter, saying:
“Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year.”
Based on the list, it appears as if 677 companies failed to patch their VPN software since the vulnerability was made public. Now however, patching won’t be enough as vulnerable organizations will also have to change their usernames and passwords to avoid falling victim to any potential attacks.
Businesses that use Pulse Secure VPN should patch their systems and update their credentials immediately as the list was also shared on a hacker forum frequented by multiple ransomware operators including the cybercriminals behind Sodinokibi and Lockbit. This means that the login details of many Pulse Secure VPN customers are not only available online but are most likely already in the hands of cybercriminals who will use this leaked data to their advantage.
- Also check out our complete list of the best VPN services
Via ZDNet