The team behind Pulse Secure VPN had a year to fix the flaw which apparently it didn’t and now one of the most notorious hacker forums has leaked its sensitive data.
Sometimes, ransomware operators go to great lengths to hack companies and blackmail them. At other times, the data is handed over to them ready for exploitation.
That’s exactly the case now where a Russian hacker has leaked the IP addresses of 913 enterprise Pulse Secure VPN servers on a hacking forum along with other confidential details.
The data is freely available to download on a Russian speaking hacker forum and includes the following records with each IP address:
- Firmware version
- Plaintext usernames and passwords
- A list of Local users & their respective password hashes
- SSH keys
- Session cookies of the VPN
Additionally, later on, as reported by Bank Security, the domain names corresponding to the leaked IP addresses were also published revealing several government sites:
Few hours ago another Threat Actor published the list of domains related to those IPs.
On the list there are different .gov domains, banks and other large companies! pic.twitter.com/WXM59kbjmE
— Bank Security (@Bank_Security) August 5, 2020
The reason behind this hack is that all of these servers were running a firmware version that is vulnerable to “CVE-2019-11510” and therefore the hacker successfully exploited this. A simple update may have just saved them but alas.
The vulnerability exists in several versions of Pulse Secure Pulse Connect Secure (PCS) allowing an unauthenticated remote attacker to send specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file reading vulnerability.
Coming to the damage, the forum is frequented by ransomware actors such as the REVil ransomware group and so poses a big threat to the future of the data residing on these servers. This is because if the administrators do not immediately change the credentials, these mal-actors could gain unauthorized access to their systems.
Furthermore, another aspect that complicates things is that these servers are often utilized as gateways by companies to allow their employees to access internal apps and so the hackers may be able to go further deep into a company beyond their servers.
In a conversation with Hackread.com, Jason Garbis, Senior Vice President, Products at AppGate said that “A CVE discovered and announced in August 2019, and here we are almost 12 months later and still, 677 enterprise devices were still unpatched exposing VPN open ports and vulnerabilities and allowing access with only a user name and password. All bad. No one would ever think to design a new system with these three flaws today.”
“No enterprise can patch all vulnerabilities, it’s a near impossibility, but many need to try to patch all CVSS 8-10 at a minimum. Even this is difficult and not always foolproof as it is very difficult to patch production network access systems like firewalls and VPNs as an outage or maintenance windows can cost the business hundreds of thousands of dollars. This is why VPNs are constantly a massive target for APT groups,” said Jason.
“This is a serious problem on multiple levels. These enterprises are at immediate risk since their private networks are now effectively exposed to attackers. Add to that, chances are these users have re-used passwords for other accounts, which are now also at risk.” Jason warned.
“This all could have been easily prevented with a software-defined perimeter that adheres to the tenants of zero trust and uses a simple cryptographic technique (single-packet authorization) to cloak network entry points. This means, no open ports, no systematic attacks, and no remotely exploitable vulnerabilities. Unauthorized users will be unable to even see the network entry point, and therefore be unable to connect to it or attack it,” Jason advised.
To conclude, this is more of a ticking timebomb if put into perspective and hence, on the mitigatory side, these companies could only take better future precautions. These include making sure their servers are up-to-date and all data communication is encrypted. As an added plus, users could also be trained to guard against social engineering attacks.