Hacker Leaks Passwords for 900 Corporate VPN Servers

By Ava McKinneyOnline Safety

Hacker Leaks Passwords for 900 Corporate VPN Servers

According to journalists from ZDNet, cybersecurity researcher Bank Security, who specializes in financial crimes, discovered a list of IP addresses and credentials for 900 corporate Pulse Secure VPN servers on a Russian-language hacker forum.

The post mentioned 1,200 servers, but researchers were able to verify only 900. Photo: Bank Security

Journalists and researchers from the company KELA confirmed the authenticity of the data, verifying that it was not fake. The leaked information included:

  • IP addresses of Pulse Secure VPN servers
  • Firmware versions of Pulse Secure VPN servers
  • SSH keys for each server
  • List of all local users and password hashes
  • Administrator account credentials
  • Data on recent VPN logins (including usernames and passwords in plain text)
  • VPN session cookies

Bank Security noted that all the Pulse Secure VPN servers on the list were running firmware vulnerable to the well-known CVE-2019-11510 vulnerability. The expert believes the list was compiled by scanning the IPv4 address space for Pulse Secure VPN servers and then exploiting the CVE-2019-11510 vulnerability to gain access. The attacker was able to collect information about the servers, including usernames and passwords, and compile it in one place. Based on the timestamps, the scans took place between June 24 and July 8, 2020.

ZDNet journalists also consulted with experts from Bad Packets, a company that has been monitoring vulnerable Pulse Secure VPN servers since August 2019, when details about CVE-2019-11510 were first published. The experts reported that out of the 913 unique IP addresses in the dump, 677 had already been flagged as vulnerable to CVE-2019-11510.

This means that 677 companies still have not installed patches, even though Bad Packets conducted their first scans for vulnerable servers back in June 2019. Researchers note that even if these companies install the patches now, they will still need to change their passwords to prevent hackers from using the leaked data to take over devices and launch further attacks within internal networks.

Journalists also pointed out that the list of vulnerable servers was published on a hacker forum frequented by members of well-known ransomware groups such as REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop, and Exorcist. Many of these groups infiltrate corporate networks through vulnerable edge devices (such as Pulse Secure VPN servers), then deploy ransomware within company networks and demand huge ransoms from victims.

Leave a Reply