Passwords for over 900 Pulse Secure VPN enterprise servers revealed on hacker forum

The attacker likely exploited CVE-2019-11510 security flaw to gain access to vulnerable systems

The username and passwords, as well as lots of other sensitive information, for more than 900 Pulse Secure VPN enterprise servers have been published online by some unidentified hacker.

The details were posted on a Russian-speaking hacker forum that is frequently visited by several cybercrime groups involved in ransomware activities.

In addition to user credentials, the list also includes the following details:

IP addresses of Pulse Secure VPN servers
Firmware version of VPN server
SSH keys for each server
Local users and their password hashes
Details of admin account
Last VPN logins (with details of usernames and cleartext passwords)
VPN session cookies

https://twitter.com/GossiTheDog/status/1290783640293703682?ref\\_src=twsrc%5Etfw

Bank Security, a threat intelligence firm specialised in financial crime, told ZDNet that all the Pulse Secure VPN servers, whose details have been given in the list, were running a firmware version vulnerable to the CVE-2019-11510 security flaw.

The firm said that the attackers likely scanned the internet IPv4 address space for Pulse Secure VPN servers and then exploited the CVE-2019-11510 flaw to gain access to vulnerable systems. Then they collected all the information from compromised systems and placed the details at one central repository.

CVE-2019-11510 is a critical arbitrary file disclosure vulnerability existing in Pulse Connect Secure, the SSL VPN solution from Pulse Secure. The vulnerability was revealed last year and received a rating of 10 out of 10 on the Common Vulnerability Scoring System (CVSS), suggesting that a remote, unauthenticated attacker can easily exploit it to steal confidential information, such as usernames and passwords, from vulnerable endpoints.

While a patch for the vulnerability was released in April 2019, the bug garnered more attention after a proof of concept (PoC) for it was made public in August 2019. Soon, reports started to surface that hackers were scanning internet in search of vulnerable endpoints and then trying to exploit the bug.

In February, researchers from Bad Packets said that they had discovered nearly 2,500 Pulse Secure VPN servers worldwide that were still vulnerable to CVE-2019-11510 critical security flaw. The US topped the list with 718 vulnerable servers, followed by Japan with 332, and UK with 149 vulnerable VPN servers.

Earlier this year, it also emerged that currency exchange specialist Travelex, who suffered a massive ransomware attack in December, was already warned in September 2019 about insecure VPN servers that the firm was running. But, the warning was likely ignored by the company.