VPN Security Warning: 900 servers hit by massive Data Breach

VPN Security Warning: 900 servers hit by massive Data Breach

A cybercriminal posted online the IP addresses, plain-text usernames and user access passwords for over 900 VPN company servers, as well as user session cookies, administrator information, and private encryption keys

The hackers posted links to plain-text lists containing the stolen data on Russian-language cybercrime forums Each of the compromised corporate VPNs was running an unpatched version of Pulse Secure VPN software as of a month ago

Pulse Secure issued a fix for the flaw in April 2019, but attacks exploiting the flaw began circulating a year earlier, in August 2019

According to ZDNet, the list includes IP addresses, firmware versions of individual servers, SSH keys, local user details, their password hashes, cookies for different VPN sessions, and user names and passwords for observed remote logins to the server, It contains data about corporate users of Pulse Secure VPN in plain text

Anyone with access to the list can use these plain-text usernames and passwords or active session cookies to remotely log into the VPN server and gain internal access to the corporate network

More sophisticated attacks are possible by cracking the password hashes of administrators or internal users or by exploiting private SSH keys

ZDNet's Catalin Cimpanu was able to see a copy of the list thanks to the assistance of a threat intelligence specialist at cybersecurity firm KELA The list has since been seen elsewhere We at Tom's Guide were able to find a copy of it in less than a minute

All of the compromised servers were vulnerable to vulnerability CVE-2019-11510 because, as noted by cybersecurity expert Bank Security, they were using outdated Pulse Secure software

The CVE post explains that exploiting this flaw "allows an unauthenticated remote attacker to send a specially crafted URI and execute the vulnerability to read arbitrary files"

Bank Security believes that the threat hacker in question was able to create this list by scanning the entire IPv4 address space, and thus the entire Internet, for VPN servers using older versions of Pulse Secure software We believe

The attackers then used the aforementioned flaw to break into each server and copy the data on each server from the end of June to early July

ZDNet also spoke with threat intelligence firm Bad Packets, which launched a search for the flawed Pulse Secure VPN servers when news of the CVE-2019-11510 security flaw broke a year ago

"Of the 913 unique IP addresses found in that dump, 677 were found vulnerable to CVE-2019-11510 by Bad Packets' CTI scan when the exploit was published last year," Bad Packets told ZDNet

Hackers accessed this information, compiled it into a list, and then uploaded it to hacker forums used by cybercrime groups such as Netwalker, Avaddon, Makop, Exorcist, and Revil

With unfettered access to this data, such groups could use the vulnerable Pulse Secure VPN server to launch devastating ransomware attacks against their targets However, the payoff is diminishing as the same fraudsters have been exploiting this flaw for at least a year now to attack companies using Pulse Secure VPN servers

It is recommended that administrators of Pulse Secure VPN servers implement a security patch for Pulse Secure and generate new passwords for all users

The importance of using one of the best VPN services recommended on the web is also reiterated: the best VPN services, such as ExpressVPN and NordVPN, have extensive data encryption features and audit anti-logging policies as well, so you can be confident that your data is not leaked anywhere

Categories