Journalists of the edition ZDNet reported that cybersecurity researcher Bank Security, specializing in financial crimes, discovered on a Russian-language hacker forum a list of IP addresses and credentials for 900 corporate Pulse Secure VPN servers.
KELA reporters and researchers verified the authenticity of the data, making sure it was not fake. It turned out that the information is real, and the list includes:
- Pulse Secure VPN server IP addresses
- Pulse Secure VPN server firmware versions;
- SSH keys for each server;
- a list of all local users and their password hashes;
- data from the administrator account;
- Last VPN logins (including usernames and passwords in clear text)
- VPN session cookie.
A well-known Russian-speaking Threat Actor shared details of over 1800 IPs vulnerable to the latest Pulse CVEs.
For each IP the actor shared many details including user & administrator clear-text credentials.
Big Banks and notable organizations are on the list.
🔥PATCH NOW! 🔥 pic.twitter.com/QqyPBG17Mq
– Bank Security (@Bank_Security) August 4, 2020
Bank Security notes that all Pulse Secure VPN servers on this list use firmware that is vulnerable to a known issue CVE-2019-11510… The expert believes that the compiler scanned the IPv4 address space for Pulse Secure VPN servers and then accessed them using an exploit for the CVE-2019-11510 vulnerability against them. As a result, the attacker got to the information about the servers (including usernames and passwords) and collected this data in one place. Based on the timestamps, the dates for these scans range from June 24 to July 8, 2020.
ZDNet journalists also consulted with Bad Packets specialists, who have been monitoring the problem of vulnerable Pulse Secure VPN servers since August 2019, that is, since the publication of data on the vulnerability CVE-2019-11510. The experts said that of the 913 unique IP addresses presented in the dump, 677 had already been marked by them as vulnerable to the CVE-2019-11510 bug.
Thus, it turns out that 677 companies have not yet installed patches, although the Bad Packets experts carried out the first scan in search of vulnerable servers back in June 2019. The researchers note that even if these companies install the patches now, they will still need to change passwords so that hackers do not use the leaked data to hijack devices and then develop attacks on internal networks.
Journalists note that the list of vulnerable servers was made public on a hacker forum, where representatives of such well-known ransomware hack groups as REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop and Exorcist often visit. Many of these groups infiltrate corporate networks through various vulnerable peripherals (such as Pulse Secure VPN servers), then deploy ransomware across companies' networks and demand huge ransoms from victims.