The access data of nearly a thousand large enterprise VPN servers was published as unknown, ZDNet reported. The authenticity of the disclosed access information was also confirmed by the experts of the security company KELA. Sensitive data was leaked on a Russian-language hacker forum in plain text – posing a security risk to some 913 enterprise Pulse Secure VPN servers.
The attack was first noticed by Bank Security security researchers, who also reported the incident. The leaked information includes the IP addresses, firmware versions, SSH keys, list of local users and associated password hashes of affected Pulse Secure VPN servers, administrator account information, information about the last VPN logins to the servers, including usernames and simple text passwords, as well as cookies for VPN sessions, are also there
A VULNERABILITY KNOWN FOR ONE YEAR
According to Bank Security researchers, all affected servers ran firmware in which there was a vulnerability under code CVE-2019-11510 – through which the attackers could read arbitrary files on the target server by sending a properly prepared URI (Uniform Resource Identifier).
The perpetrators had a good chance of scanning the entire IPv4 address space through Pluse Secure VPN servers were searched for and accessed through the said vulnerability. z the data concerned, which were then collected in a database. Based on the timestamps in the list, the perpetrators had access to the servers between June 24 and July 8 this year – although it is possible that the dates indicate only the dates on which the list items were added.
telling the paper, 677 of the 913 unique IP addresses found in the list were analyzed to be vulnerable through the above vulnerability when it was released last year – the companies involved appear to have failed to install the necessary security patches to address the vulnerability since then. In addition, the update alone is not enough, companies must change their passwords after the patch to prevent attackers from abusing potentially previously leaked credentials to gain access to internal systems.
Pulse Secure VPN Servers this is because in many cases, employees of companies are provided with remote access to the corporate infrastructure, so it is understandable why it is important to keep their protection up to date. In possession of the above leaked data, unauthorized people can not only obtain sensitive corporate data, but can even carry out ransomware attacks or deliver other malware to corporate systems.
HUGE SECURITY RISK
database, according to experts, has just been published on a forum that ransomware distributors prefer to visit – a popular “customer acquisition” interface among members of the well-known online criminal groups Sodinokibi, NetWalker, Lockbit, Avaddon and Exorcist, among others.
Accordingly, it is of paramount importance for companies involved in the data leak to patch this vulnerability without delay and to change their login details immediately. It is not yet known whether the servers on the list have been compromised (in addition to the initial exploitation of the vulnerability) and caused further damage.
Gellert is Technology Editor at Counting News Media and contributor at other major tech publications. Her interests includes testing new gadgets and reading.