Threat Response: Pulse Secure VPN credentials leaked

04-08-2020

On Tuesday evening, 4 August, a hacker leaked credentials of more than 900 Pulse Secure VPN servers on a Russian forum [1]. Northwave acquired this data for analysis. It seems the data was extracted from servers that are and/or were vulnerable for the vulnerability CVE-2019-11510 [2] of April 2019. This vulnerability with CVSS score 10.0 enables attackers to read arbitrary files on the vulnerable systems.

The leaked data contains:

  • The external IP address of the Pulse Secure server.
  • Credentials with username, plaintext password and session cookies of observed VPN sessions.
  • Usernames and password hashes of local users.
  • Usernames, password hashed and session cookies of administrators.
  • Private SSH keys.

It cannot be ruled out that, besides the data of the mentioned 900+ servers, credentials have been extracted from other systems that are or were vulnerable. The Northwave CERT handled multiple incidents in the past months where attackers exploited the vulnerability or credentials leaked by the exploitation of the vulnerability. In these cases, the attackers succeeded in temporarily shutting down companies by installing ransomware.

Impact

If leaked credentials have not been changed in time, an attacker can use the credentials to access the corporate network behind the VPN. We assess the potential impact of the abuse of the leaked credentials to be high. This classification only holds if your data is on the list of leaked data!

Risk

Since the credentials are publicly accessible, they are very easy to abuse. We assess the risk of this leak therefore to be high. This classification only holds if your data is on the list of leaked data!

Mitigation

Northwave advises to immediately install the available patches [3], if this has not been done yet. All passwords of users and administrators need to be changed after installing the patch. Additionally, SSH keys need to be replaced if applicable. This advice also remains true if you patched PulseVPN earlier. This credential leak proves that malicious actors have abused this vulnerability to harvest credentials, and if you have been vulnerable, your credentials might be on a non-public list.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510

[3]: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.