It’s been reported that a hacker has published a list of over 900 plaintext usernames and passwords of Pulse Secure VPN enterprise servers – as well as IP addresses – to a Russian-speaking hacker forum that is frequented by multiple ransomware gangs.
Tech reporting company, ZDNet, obtained an exclusive copy of the list with the help of threat intelligence firm KELA and verified its authenticity with multiple sources in the cyber-security community.
The published list includes:
~ The IP addresses of the Pulse Secure VPN servers
~ The last VPN logins – which includes usernames and cleartext passwords
~ A list of all local users and their password hashes
~ Admin account details
~ Pulse Secure VPN server firmware version
~ SSH keys for each server
~ VPN session cookies
The list was spotted by Bank Security, a threat intelligence analyst that specializes in financial crime. It was noted by the security researcher that all of the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the 2019 CVE-2019-11510 vulnerability which description reads as – In Pulse Secure Plus Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
It is believed that the hacker who compiled this list did so by scanning the entire internet IPv4 address space for Pulse Secure VPN servers. They then used an exploit for the CVE-2019-11510 vulnerability in order to gain access to the systems and obtain the security details.
WHAT TO DO IF YOU’RE AFFECTED
Pulse Secure VPN servers are usually used to allow staff to connect remotely to internal company applications.
Compromised systems allow hackers easy access to a company’s network.
It is important for companies to immediately patch any affected Pulse Secure servers.
It is equally important that those companies then change their passwords.
These actions are imperative for company protection, as many of the gangs that have access to this data tend to deploy their ransomware and then demand huge ransom amounts in order for companies to have access to their files again.
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648
RHYNO Networks was designed to meet the needs of the IT marketplace. Specifically, to offer businesses skilled, timely IT services in order for them to focus on their business. We’re dedicated to the principles of Reliability, Innovation and Customer Service.