A list of plaintext usernames, passwords, and IP addresses allegedly stolen from over 900 Pulse Secure VPN servers has been released on a popular Russian language hacking forum. Many intelligence firms, including Binary Defense, have verified the authenticity of the leaked information. The threat actor scanned the Internet looking for any Pulse Secure VPN servers that were running a vulnerable version of the firmware. After finding the servers, they exploited the vulnerability to gain access to each server and collect the data from it. The scans appear to have happened from June 24 to July 8, 2020.
Analyst Notes
The vulnerability announcement and a patch came out in August of 2019 for the Pulse Secure VPN servers, but 677 of the 913 total servers are still vulnerable according to Bad Packets threat intelligence firm. Any company that uses Pulse Secure VPN should ensure that they have applied the patch to the servers, but also change the passwords for all users. The passwords must be changed, especially now after the data has been released. Many of the users’ passwords that were revealed in the breach files are not complex and could be guessed. It is important to educate users about picking strong passwords and to implement Multi-Factor Authentication (MFA) for remote access accounts. This information is widely available and is almost guaranteed to be used by ransomware criminal groups and by multiple APT groups. Ransomware operators and APTs use access to VPNs to steal data from companies since employees typically use these types of VPNs to access sensitive data on internal corporate networks. The original post was on a forum that is trafficked by many ransomware groups. This information can also be used by them to target the companies.
More can be read here: https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/
