Security Alerts More Than 900 Pulse Secure VPN Sensitive Information being Advertised on an Underground Forum

Wednesday, Aug 5, 2020

On August 4, 2020, the threat actor “uhodiransomwar” posted information associated with more than 900 Pulse Secure VPN servers on the dark web forum XSS, including plaintext usernames and passwords, firmware version, SSH keys, VPN session cookies, and IP addresses. Security researchers were able to obtain a copy of the listed information to verify the authenticity of the Pulse Secure VPN leaked information. From there, they was able to confirm and identify that the data was compiled between June 24 -July 8, 2020. Another security researcher using the moniker “Bank Security” stated that the Pulse Secure VPN servers included in the list were running a firmware version that was vulnerable to “CVE-2019-11510” vulnerability, which allows an attacker to read arbitrary files.

They believe that the threat actor scanned the entire internet IPv4 address to search for Pulse Secure VPN servers. Additionally, the threat actor exploited the “CVE-2019-11510” vulnerability to gain access to Pulse Secure VPN systems, which allowed the threat actor to dump the server details and then collected all the information in one central repository. Further research showed that out of  913 IP addresses found, 677 of them were vulnerable to “CVE-2019-11510” vulnerability. This appears that the 677 companies did not apply the patch for the vulnerable firmware version running on the Pulse Secure VPN servers.

Nuspire recommend companies to patch their Pulse Secure VPNs to prevent the risk of potential exploitation.

Pulse Secure’s advisory can be found here: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/