A database containing usernames, IPs, plaintext passwords of 900+ Pulse Secure VPN server enterprise users leaked on Russian-speaking hacker forum
Security intelligence firm, KELA which keeps tabs on dark web hacker forums recently discovered a database containing plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. The database was leaked by an unknown hacker on a Russian speaking hacker forum.
- IP addresses of Pulse Secure VPN servers
- Pulse Secure VPN server firmware version
- SSH keys for each server
- A list of all local users and their password hashes
- Admin account details
- Last VPN logins (including usernames and cleartext passwords)
- VPN session cookies
Security researchers of Bank Security also spotted the database on a dark web hacker forum and tweeted about it. However, Bank Security mentions that the hacker is well known and he/she leaked 1800 IPs of Pulse VPN users.
In a nutshell, one of the DBs used by cyber criminals to sell access to various companies through Pulse Secure vulnerabilities has been shared.
Some of the victims are categorized by type and revenue to maximize the sale.
— Bank Security (@Bank_Security) August 4, 2020
Bank Security researchers said that the IP addresses belonged to the Pulse Secure VPN servers that were run on a firmware version vulnerable to the CVE-2019-11510 Pulse Connect Secure arbitrary file read flaw. Bank Security says that the hacker may have used the CVE-2019-11510 vulnerability to gain access to the Pulse VPN servers and steal the user details.
ZDNet reported that the security intelligence company, Bad Packets, found nearly 913 unique IP addresses in the dump. “Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year.”