A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. The list has been shared on a Russian-speaking hacker forum frequented by multiple ransomware gangs.
According to a review, the list includes:
- IP addresses of Pulse Secure VPN servers
- Pulse Secure VPN server firmware version
- SSH keys for each server
- A list of all local users and their password hashes
- Admin account details
- Last VPN logins (including usernames and cleartext passwords)
- VPN session cookie
VPNs are typically used by organisations to protect privacy and maintain data security. This leak of passwords and usernames is the antithesis of the VPN’s purpose. The fact that this breach was the result of a firmware vulnerability, goes to show the importance of running frequent audits as well as implementing a consistent updating and patching schedule. This was a vulnerability exposed last year as well, making it evermore disappointing that it wasn’t managed sooner.
This is a very disturbing breach. We are seeing an increase in compromised and fraudulent VPNs recently, especially among free versions. Businesses should always be paying for legitimate VPNs as the cost of a breach like this could be enormous. Hackers with these hash keys will be able to decrypt any encryption and hashed data that was supposed to be protected via the VPN. That means everything (browsing history, passwords, PII, payment info) would be at risk of exposure and could be compromised.
It is unfortunate how easily this attack could have been prevented. Unless it was a ZERO DAY attack (for example, an attack that is new and has not been used before), then complying with basic cyber security standards like those of the UK government\’s Cyber Essentials scheme which includes keeping software up to date, would have protected against this. Hackers are notorious for using known vulnerabilities in software as a way in for a breach. And, all too often, organisations don\’t have any continuous monitoring in place to make sure they are always protected.
Security teams have had a lot to deal with over the last few months. This vulnerability has been in the wild for a while and by the looks of it hackers have had the chance to exploit it for nearly a year. We are starting to see the impact of this, and the servers impacted are examples of what happens when critical risk findings are not addressed.
Teams need to have visibility over the versions of the software they are running and whether it might be susceptible to issues like the CVE-2019-11510. You cannot fix something you don’t know about.
A regular scan of your external facing estate should pick up this issue. This is the security baseline that organisations should be working towards.
Since January of this year this exploit has been used in the wild to deliver ransomware, and what we are seeing now is this attack vector now being leveraged to exfiltrate data. We don’t know if this has been happening since the CVE was released or not, but it is be safe to assume it has been and it’s advised to take precautions based on that.
Attackers will try to leverage any way they can into organisations. In recent times, we\’ve seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It\’s why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access.
While VPNs have an essential role to provide employees and third parties with remote access, they also provide a direct data tunnel to corporate networks which can be used to provide privileged access to critical business systems and applications i.e. the targets that are most valuable for hackers.
In the case of the Pulse Secure VPN breach, usernames, plain-text passwords, and IP addresses were exposed. In an of itself, that’s concerning, but attackers could also take advantage of password reuse habits to conduct credential-based attacks on internal systems and business applications like HR and payroll — providing a backdoor to critical data and assets.
In light of this and other well-publicized breaches, it’s important organizations examine other ways to provide remote access to the most sensitive parts of the corporate network. This includes advances in Zero Trust access, granular access to only the critical system instead of the whole network, biometric multi-factor authentication and just-in-time provisioning, in combination with session isolation and management. This would allow VPNs to be dispensed with completely in some instances, including for privileged access to critical systems. Additionally, it reinforces the need to patch, whether the software lives in the cloud or the enterprise itself.