Experts Reaction On 900 Pulse Secure Enterprise VPN Passwords Leaked

A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. The list has been shared on a Russian-speaking hacker forum frequented by multiple ransomware gangs.

According to a review, the list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookie

Experts Comments

August 06, 2020
Doron Naim
Cyber Research Group Manager
CyberArk Labs
While VPNs have an essential role to provide employees and third parties with remote access, they also provide a direct data tunnel to corporate networks which can be used to provide privileged access to critical business systems and applications i.e. the targets that are most valuable for hackers. In the case of the Pulse Secure VPN breach, usernames, plain-text passwords, and IP addresses were exposed. In an of itself, that’s concerning, but attackers could also take advantage of.....Read More
While VPNs have an essential role to provide employees and third parties with remote access, they also provide a direct data tunnel to corporate networks which can be used to provide privileged access to critical business systems and applications i.e. the targets that are most valuable for hackers. In the case of the Pulse Secure VPN breach, usernames, plain-text passwords, and IP addresses were exposed. In an of itself, that’s concerning, but attackers could also take advantage of password reuse habits to conduct credential-based attacks on internal systems and business applications like HR and payroll -- providing a backdoor to critical data and assets. In light of this and other well-publicized breaches, it’s important organizations examine other ways to provide remote access to the most sensitive parts of the corporate network. This includes advances in Zero Trust access, granular access to only the critical system instead of the whole network, biometric multi-factor authentication and just-in-time provisioning, in combination with session isolation and management. This would allow VPNs to be dispensed with completely in some instances, including for privileged access to critical systems. Additionally, it reinforces the need to patch, whether the software lives in the cloud or the enterprise itself.  Read Less
August 06, 2020
Niamh Muldoon
Senior Director of Trust and Security, EMEA
OneLogin
VPNs are typically used by organisations to protect privacy and maintain data security. This leak of passwords and usernames is the antithesis of the VPN’s purpose. The fact that this breach was the result of a firmware vulnerability, goes to show the importance of running frequent audits as well as implementing a consistent updating and patching schedule. This was a vulnerability exposed last year as well, making it evermore disappointing that it wasn’t managed sooner.
August 06, 2020
Rodrigo Jazinski
CTO
CyberSmart
This is a very disturbing breach. We are seeing an increase in compromised and fraudulent VPNs recently, especially among free versions. Businesses should always be paying for legitimate VPNs as the cost of a breach like this could be enormous. Hackers with these hash keys will be able to decrypt any encryption and hashed data that was supposed to be protected via the VPN. That means everything (browsing history, passwords, PII, payment info) would be at risk of exposure and could be.....Read More
This is a very disturbing breach. We are seeing an increase in compromised and fraudulent VPNs recently, especially among free versions. Businesses should always be paying for legitimate VPNs as the cost of a breach like this could be enormous. Hackers with these hash keys will be able to decrypt any encryption and hashed data that was supposed to be protected via the VPN. That means everything (browsing history, passwords, PII, payment info) would be at risk of exposure and could be compromised. It is unfortunate how easily this attack could have been prevented. Unless it was a ZERO DAY attack (for example, an attack that is new and has not been used before), then complying with basic cyber security standards like those of the UK government's Cyber Essentials scheme which includes keeping software up to date, would have protected against this. Hackers are notorious for using known vulnerabilities in software as a way in for a breach. And, all too often, organisations don't have any continuous monitoring in place to make sure they are always protected.  Read Less
August 06, 2020
David Kennefick
Product Architect
edgescan
Security teams have had a lot to deal with over the last few months. This vulnerability has been in the wild for a while and by the looks of it hackers have had the chance to exploit it for nearly a year. We are starting to see the impact of this, and the servers impacted are examples of what happens when critical risk findings are not addressed. Teams need to have visibility over the versions of the software they are running and whether it might be susceptible to issues like the.....Read More
Security teams have had a lot to deal with over the last few months. This vulnerability has been in the wild for a while and by the looks of it hackers have had the chance to exploit it for nearly a year. We are starting to see the impact of this, and the servers impacted are examples of what happens when critical risk findings are not addressed. Teams need to have visibility over the versions of the software they are running and whether it might be susceptible to issues like the CVE-2019-11510. You cannot fix something you don’t know about. A regular scan of your external facing estate should pick up this issue. This is the security baseline that organisations should be working towards. Since January of this year this exploit has been used in the wild to deliver ransomware, and what we are seeing now is this attack vector now being leveraged to exfiltrate data. We don’t know if this has been happening since the CVE was released or not, but it is be safe to assume it has been and it’s advised to take precautions based on that.  Read Less
August 06, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or.....Read More
Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access.  Read Less
August 06, 2020
David Higgins
EMEA Technical Director
CyberArk
While VPNs have an essential role to provide employees and third parties with remote access, they also provide a direct data tunnel to corporate networks which can be used to provide privileged access to critical business systems and applications i.e. the targets that are most valuable for hackers. In the case of the Pulse Secure VPN breach, usernames, plain-text passwords, and IP addresses were exposed. In and of itself, that’s concerning, but attackers could also take advantage of password .....Read More
While VPNs have an essential role to provide employees and third parties with remote access, they also provide a direct data tunnel to corporate networks which can be used to provide privileged access to critical business systems and applications i.e. the targets that are most valuable for hackers. In the case of the Pulse Secure VPN breach, usernames, plain-text passwords, and IP addresses were exposed. In and of itself, that’s concerning, but attackers could also take advantage of password reuse habits to conduct credential-based attacks on internal systems and business applications like HR and payroll – providing a backdoor to critical data and assets. In light of this and other well-publicised breaches, it’s important organisations examine other ways to provide remote access to the most sensitive parts of the corporate network. This includes advances in Zero Trust access, granular access to only the critical system instead of the whole network, biometric multi-factor authentication and just-in-time provisioning, in combination with session isolation and management. This would allow VPNs to be dispensed with completely in some instances, including for privileged access to critical systems. Additionally, it reinforces the need to patch, whether the software lives in the cloud or the enterprise itself.  Read Less
August 06, 2020
Mounir Hahad
Head
Juniper Threat Labs, Juniper Networks
The immediate focus of every organization should be to ensure no future unauthorized logins occur. Anyone who had run the vulnerable version of Pulse VPN after the disclosed vulnerability should force all users to change passwords immediately and invalidate those passwords that do not get changed in a 24 hour window. Admins should also change their passwords and ssh keys on the Pulse VPN devices. It is true that the list seems to have been put together starting June 27, 2020, but that is not.....Read More
The immediate focus of every organization should be to ensure no future unauthorized logins occur. Anyone who had run the vulnerable version of Pulse VPN after the disclosed vulnerability should force all users to change passwords immediately and invalidate those passwords that do not get changed in a 24 hour window. Admins should also change their passwords and ssh keys on the Pulse VPN devices. It is true that the list seems to have been put together starting June 27, 2020, but that is not an indication of when the device compromise took place. This data could have been sitting in this hacker’s treasure trove for a number of months until they decided to publish it. So, even if you patched in January, consider your organization at risk. A lot of threat researchers have access to the published list, as it is now downloadable from public repositories. Therefore, you could reach out to your security vendor to ask if any of your IPs were among the leaked ones. But again, this is no guarantee that your device was not compromised and your credentials are not in some other unpublished list.  Read Less
August 06, 2020
Laurence Pitt
Global Security Strategy Director
Juniper Networks
The fact that this vulnerability allowed for username/cleartext password combinations to be exposed is bad enough, but what makes it unacceptable is that this was reported in a CVE released over a year ago and fixed in a later version of the product. Organizations today rely on VPN services to keep their businesses going, as it provides access to sensitive services and data on the corporate network. The CVE which this vulnerability exploited was reported in May 2019 and even before that,.....Read More
The fact that this vulnerability allowed for username/cleartext password combinations to be exposed is bad enough, but what makes it unacceptable is that this was reported in a CVE released over a year ago and fixed in a later version of the product. Organizations today rely on VPN services to keep their businesses going, as it provides access to sensitive services and data on the corporate network. The CVE which this vulnerability exploited was reported in May 2019 and even before that, research companies were releasing proof of concept data to show what could (and would) be exposed. The lesson learned here? Patch, patch, patch. The data published lists only 900 servers. What we do not know is how many more have not been released – or, which of these could be sensitive servers that are now being poked and prodded in planning for a bigger attack. If you are running an older version of code on a service as critical as the VPN is today, then find the latest version and get that upgrade planned.  Read Less
August 06, 2020
Martin Cannard
Product Strategy
Stealthbits Technologies
Building a security program designed to adequately address the most prevalent threats a remote workforce poses isn’t likely to happen as quickly as most organizations need it to. However, that doesn’t mean that focus on other components of the security equation can’t be just as effective (or even more so) when considering what it is that attackers need to do once they’ve made it past the front gate. Everyone knows that attackers seek privileged access rights as their mechanism to gain.....Read More
Building a security program designed to adequately address the most prevalent threats a remote workforce poses isn’t likely to happen as quickly as most organizations need it to. However, that doesn’t mean that focus on other components of the security equation can’t be just as effective (or even more so) when considering what it is that attackers need to do once they’ve made it past the front gate. Everyone knows that attackers seek privileged access rights as their mechanism to gain access to systems and applications housing the data they ultimately look to exfiltrate from an organization. Therefore, stifling lateral movement and privilege escalation opportunities can be quite fruitful in and of itself, but also as a way to mitigate the inefficiencies or vulnerabilities that can’t be immediately addressed at the perimeter. Owning the firewall or network device gets you through the door, but aside from DoS attacks, you still need a mechanism to launch an attack. The reduction of privileged accounts and use of more modern Privileged Access Management concepts like Activity Tokens adds a further layer of defense that can make the attacker’s small win a failure in the grander scheme of things.  Read Less
August 06, 2020
Saryu Nayyar
CEO
Gurucul
The reported release of user information, IP addresses, and passwords from over nine hundred Pulse Secure VPN servers, is the direct result of Security Administrators not taking the time to patch their systems. The attacker leveraged a vulnerability that was discovered and reported over a year ago, and Pulse Secure themselves strongly advised applying their patch. In fact, over six hundred of the breached servers had been discovered as vulnerable last year. Even with rigid change management.....Read More
The reported release of user information, IP addresses, and passwords from over nine hundred Pulse Secure VPN servers, is the direct result of Security Administrators not taking the time to patch their systems. The attacker leveraged a vulnerability that was discovered and reported over a year ago, and Pulse Secure themselves strongly advised applying their patch. In fact, over six hundred of the breached servers had been discovered as vulnerable last year. Even with rigid change management procedures, there is no excuse for putting off patching vital security infrastructure for months. While advanced security analytics tools can identify an unauthorized user with stolen credentials, the best practice is to keep security patches up to date and keep the bad guys out in the first place.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.