A hacker exploits a CVE vulnerability published last year to steal credentials from 900+ unpatched Pulse Secure enterprise VPN servers. The stolen data was shared on a Russian hacker forum used by ransomware groups.
VPN Credentials Leaked
Earlier in the week, security researchers discovered that a plaintext list of Pulse Secure enterprise VPN server credentials had been leaked. The list contained the usernames and passwords belonging to more than 900 enterprise VPN servers. The list also contained the VPN servers’ IP addresses, firmware version and SSH keys, as well as Admin account details, password hashes for local users and VPN session cookies.
A threat intelligence analyst, Bank Security, spotted the list on a Russian hacker forum used by ransomware groups. Bank Security stated on Twitter that “On the list there are different .gov domains, banks and other large companies!” The analyst informed the news outlet ZDNet of the list on the same day, who with the help of threat intelligence firm KELA, then verified the list’s authenticity with multiple sources in the cybersecurity community.
Pulse Secure VPN servers are used as gateways into corporate networks so that employees can access company files and applications remotely across the internet. Therefore, the leaked credentials provide hackers with access to the companies’ entire internal network. That is why APT groups have targeted VPN systems in the past. And why they will continue to do so in the future. Jason Garbis, senior vice president of products at AppGate pointed out: “These enterprises are at immediate risk, since their private networks are now effectively exposed to attackers. Add to that, chances are these users have re-used passwords for other accounts, which are now also at risk.”
Cause of Breach
It appears that the breach was made possible by companies not patching their Pulse Secure enterprise VPN servers. A researcher at Bank Security noted that all VPN servers on the list had not been patched. The servers were all running an older firmware version that is vulnerable to an authentication by-pass vulnerability. This vulnerability had been made public in August last year and tracked as CVE-2019-11510.
Bad Packets, a US based threat intelligence company, has been scanning the internet for vulnerable Pulse Secure VPN servers since the vulnerability was made public. Bad Packets stated that of the 913 IP addresses on the list, 677 of them had failed to patch their servers. This is even though they had had over a year to do so.
Furthermore, the breach may be bigger than is currently known. The hacker may have stolen more data than has been published thus far. “The data published lists only 900 servers. What we do not know is how many more have not been released – or, which of these could be sensitive servers that are now being poked and prodded in planning for a bigger attack,” said Laurence Pitt, global security strategy director at Juniper Networks. However, patching the servers now will not be enough. Vulnerable companies will now also need to change login credentials to avoid falling victim to potential attacks.
Large enterprises sometimes leave production network VPNs unpatched because maintenance works can cost these businesses hundreds and thousands of dollars. This is despite the increased risks of potential malware abuse, devastating ransomware attacks and privacy breaches.
The vulnerable companies will now need to patch their Pulse Secure VPNs and change logon credentials with the utmost urgency. Eddy Bobritsky, CEO at Minerva Labs also recommends using a One-Time Password (OTP) and urges companies to “protect the remote endpoints from future attacks as well.” As the name suggests, an OTP is a password that is valid for only one login session. Consequently, if a hacker manages to steal an OTP, he will not be able to reuse it as it would not be valid for the next login.