Brother
Professional
- Messages
- 2,590
- Reaction score
- 541
- Points
- 113
Journalists of the ZDNet publication report that information security researcher Bank Security, specializing in financial crimes, found on a Russian-language hacker forum a list of IP addresses and credentials for 900 corporate Pulse Secure VPN servers.
The announcement lists 1,200 servers, but researchers found only 900.
KELA reporters and researchers verified the authenticity of the data, making sure it was not fake. It turned out that the information is real, and the list includes:
- Pulse Secure VPN server IP addresses
- Pulse Secure VPN server firmware versions;
- SSH keys for each server;
- a list of all local users and their password hashes;
- data from the administrator account;
- Last VPN logins (including usernames and passwords in clear text)
- VPN session cookie.
Bank Security notes that all Pulse Secure VPN servers on this list use firmware that is vulnerable to the known issue CVE-2019-11510. The expert believes that the compiler scanned the IPv4 address space for Pulse Secure VPN servers and then accessed them using an exploit for the CVE-2019-11510 vulnerability against them. As a result, the attacker got to the information about the servers (including usernames and passwords) and collected this data in one place. Based on the timestamps, the dates for these scans range from June 24 to July 8, 2020.
ZDNet journalists also consulted with the specialists of Bad Packets, who have been monitoring the problem of vulnerable Pulse Secure VPN servers since August 2019, that is, since the publication of data on the vulnerability CVE-2019-11510. The experts said that of the 913 unique IP addresses presented in the dump, 677 had already been marked by them as vulnerable to the CVE-2019-11510 bug.
Thus, it turns out that 677 companies have not yet installed patches, although the Bad Packets experts carried out the first scan in search of vulnerable servers back in June 2019. The researchers note that even if these companies install the patches now, they will still need to change passwords so that hackers do not use the leaked data to hijack devices and then develop attacks on internal networks.
Journalists note that the list of vulnerable servers was made public on a hacker forum, which is often visited by representatives of such well-known ransomware hack groups as REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop and Exorcist. Many of these groups infiltrate corporate networks through various vulnerable peripherals (such as Pulse Secure VPN servers), then deploy ransomware across companies' networks and demand huge ransoms from victims.
