Hacker posted a list that includes usernames and plain text passwords, along with IP addresses for over 900 Pulse Secure VPN servers. ZDNet, with the help of the cyber security company "KELA", was able to obtain a copy of this list and verify its authenticity with many sources from its site cyber security.
The list includes the following:
- IP Addresses Pulse Secure VPN servers
- SSH keys for each server
- Administrator account information
- VPN session cookies
- Pulse Secure VPN server firmware version
- A list of all local users and their hash codes
- Latest VPN connections, including usernames and plain text passwords
Bank Security, a cybercrime threat analyst, also discovered the list and shared it with ZDNet, and made an interesting comment about the list and its contents. Specifically, he reported that all Pulse Secure VPN servers on the list run a firmware version that is vulnerable to vulnerability located as CVE-2019-11510. In addition, the company believes that the hacker who created this list scanned the entire IPv4 Internet address space for Pulse Secure VPN servers, took advantage of the CVE-2019-11510 vulnerability to obtain access into a systems, extracted server information, including usernames and passwords, and then gathered all the information into a central repository.
Based on the information in the list, it appears that the scan dates, or the date the list was written, are between June 24 and July 8, 2020.
Also, the Bad Packets, a threat analysis company based in USA, scans the Internet for vulnerable Pulse Secure VPN servers since August 2019 when the vulnerability CVE-2019-11510 was made public. The company noted that of the 913 unique IP addresses found, Bad Packets identified from its scans that 677 were vulnerable to CVE-2019-11510 vulnerability when the exploit was made public in 2019.
From the list, it appears that the 677 companies did not proceed to patch since the first Bad Packets scan last year, while the June 2020 scans were performed by a hacker. Even if these companies fix Pulse Secure servers, they will also have to change passwords to prevent hackers from abusing their credentials which leaked to take over devices and then spread to their internal networks. This is very important, as Pulse Secure VPN servers are commonly used as gateways to corporate networks, so that staff can connect remotely to internal applications from across the Internet. These types of devices, if compromised, can allow hackers to gain easy access to a company's entire internal network. This is exactly why APT and ransomware Gangs have repeatedly targeted these systems.
In addition, the leaked list was shared on a hacking forum frequented by many ransomware gangs. For example, gangs of REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop and Exorcist ransomware use the same forum to hire members (developers) and partners (clients). Many of these gangs invade corporate networks using devices such as Pulse Secure VPN servers and then develop ransomware payloads and demand huge amounts of ransom from their victims.
Publishing this list carries a lot of risks for any company that failed to fix Pulse Secure VPN last year, as some of the ransomware gangs active in this forum are very likely to use the list for future reference. attacks. Therefore, companies need to repair their Pulse Secure VPNs and change their passwords.