Addicted to Download.hr
ZDNet: "Hacker leaks passwords for 900+ enterprise VPN servers"
Continue Reading: Hacker leaks passwords for 900+ enterprise VPN servers
A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. The list has been shared on a Russian-speaking hacker forum frequented by multiple ransomware gangs.
ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.
According to a review, the list includes:
- IP addresses of Pulse Secure VPN servers
- Pulse Secure VPN server firmware version
- SSH keys for each server
- A list of all local users and their password hashes
- Admin account details
- Last VPN logins (including usernames and cleartext passwords)
- VPN session cookies
Bank Security, a threat intelligence analyst specialized in financial crime and the one who spotted the list earlier today and shared it with ZDNet, made an interesting observation about the list and its content.
The security researcher noted that all the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.
Bank Security believes that the hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.
Based on timestamps in the list (a collection of folders), the dates of the scans, or the date the list was compiled, appear to between June 24 and July 8, 2020.
ZDNet has also reached out to Bad Packets, a US-based threat intelligence company that has been scanning the internet for vulnerable Pulse Secure VPN servers since August 2019, when the CVE-2019-11510 vulnerability was made public...