A Russian hacker has recently published the sensitive credentials belonging to more than 900 enterprise VPN servers.
The login details--usernames and passwords--include 913 IP addresses of Pulse Secure VPN servers. These details were leaked on a hacking forum frequented by some ransomware groups.
Exploiting the CVE-2019-11510 Vulnerability
All VPN Servers of the Pulse Secure, including those caught in the data breach, were reportedly running a firmware version that was vulnerable to the CVE-2019-11510. The Common Vulnerabilities and Exposure (CVE) entry is described as a "critical arbitrary file disclosure" in the Pulse Secure SSL VPN product, Pulse Connect Secure.
According to the Common Vulnerability Scoring System (CVSS), a grading attempt to rank vulnerabilities, the CVE-2019-11510 easily receives a 10.0 mark--a critical vulnerability according to CVSS 3.0.
The vulnerability basically allows an unauthenticated user or attacker to view the usernames and plaintext passwords from the VPN's more vulnerable endpoints from a remote site. Pulse Secure described it as an unauthenticated, remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.
Pulse Secure has attempted to resolve the vulnerability with an Out-of-Cycle patch released last April 2019. However, the CVE-2019-11510 problem garnered more attention again after a proof of concept (POC) was released in August of the same year. A study demonstrated how an external access user could use a flaw in the pre-authentication process, and chaining multiple vulnerabilities, compromising a device with enough time and effort.
The POC report details that more than 42,000 devices worldwide are at risk of getting breached without proper patches.
Moving Forward After The Latest Breach
Kevin Beaumont, the Senior Threat Intelligence Analyst at Microsoft, also shared the news about the data breach on his Twitter account. The threat intelligence expert wrote: "Great (and bad news) story here, link in thread. Somebody has posted [a] huge list of SSL VPN credentials for companies across [the] world."
Aside from the usernames and plaintext passwords, the following details were also leaked in the recent Pulse Secure data breach:
- VPN session cookies, which are temporary data for visited websites
- Firmware version of the compromised VPN server
- IP addresses of the Pulse Secure VPN Servers
- Secure Shell (SSH) keys for each of the Pulse Secure VPN Servers
- Local users and password hashes
- Admin account details
- Last VPN login details with username and cleartext passwords
A report from threat intelligence think-tank Bank Security reported on the incident. "These types of devices, if compromised, can allow hackers easy access to a company's entire internal network," Bank Security stated in the report.
Among the users of Pulse Secure VPN Servers are companies that pass through its servers, allowing their staff and employees to connect remotely to internal company files and apps from an external location via the Internet.
RELATED: Protect Your Online Privacy With These 6 Practical Steps
Moreover, simply patching their VPN servers is not enough to protect companies from external attackers. At the very least, concerned users have to change their passwords then apply patches to their Pulse Secure VPN accounts.
According to Varonis, a data security and insider threat company, a cyberattack is attempted at least once every 39 seconds. In the first half of 2019 alone, multiple instances of data breach reportedly exposed 4.1 billion records, most of which are proprietary and supposedly confidential. On average, a data breach costs around $3.92 million.