A security analysis researcher recently discovered “around 1,800 compromised and deflated Pulse VPN profiles” on a community forum online.
The collection contains over 900 usernames and passwords, as well as email addresses for corporate servers of Pulse Stable VPN. Half of those were the signs of the hacker’s message.
A threat intelligence firm sent authorities a copy of the Pulse VPN list, according to an exclusive report circulating online. The firm is also seeking support from different cyber-security experts to check the accuracy of the note.
The hacker made the list between June 24 and July 8, according to file timestamps. Bank Defense, a threat intelligence analyst who specializes in financial crime, posted the listing on Twitter. A prominent Russian-speaking threat actor shared more than 1800 IPs new Pulse CVEs.
Bank Protection made insightful remarks about the list’s material. The collection contains IP addresses and software variants of Pulse Secure VPN clients, SSH keys for each server, information of admin account as well as local users, and hashes of passwords.
Hackers exploits firmware
The analysis also identified cookies for the VPN session and the last usernames and passwords for cleartext VPN. According to the security expert, all of the Pulse Protected VPN servers in the list have operated a firmware edition exposed to CVE-2019-11510, where a remote intruder may submit a unique URI to trigger a bug in file reading.
BankSecurity suspected the intruder was searching the whole IPv4 address space for Pulse Protected VPN servers. The hacker instead accessed the networks utilizing a bug exploit for CVE-2019-11510. The intruder then dumped information of the system, including usernames and passwords, and gathered all data from one source.
CVE-2019-11510 is a serious risk to unauthorized file leakage found in Pulse Secure VPN server. Security experts found the bug last year.
The bug received a Common Vulnerability Scoring System (CVSS) ranking of 10 out of 10. Hence, the remote, unauthenticated intruder exploits the bug to extract sensitive information from compromised endpoints, such as usernames and passwords.
Unpatched Pulse Secure VPN Servers
Bad Packets, a US-based threat intelligence firm, released a compromised Pulse Secure VPN scan in August 2019 with susceptibility to the CVE-2019-11510. The firm also discovered around 677 unpatched entities on the registry. Hence, the hacker included the list in the latest assault.
“Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year,” co-founder and chief research officer of Bad Packets said.
Worse, several hackers noted the list from a community forum, where the platform attracts consumers and developers.
Through exploiting network tools like Pulse Safe VPN clients, several of the malware gangs target enterprise networks. We typically seek massive demands for ransom from the companies impacted.
Bank Security advised affected users to fix their Pulse Protected VPNs immediately. The users should need to update their passwords to deter cyberattackers from utilizing the compromised keys to monitor computers and access their internal networks.
Pulse Secure VPN servers are used as gateways for accessing corporate networks. The server enables employees to link to internal applications directly. It often allows hackers to reach the whole internal system of the organization if breached.