Threat Response: Pulse Secure VPN credentials leaked
On Tuesday evening, 4 August, a hacker leaked credentials of more than 900 Pulse Secure VPN servers on a Russian forum . Northwave acquired this data for analysis. It seems the data was extracted from servers that are and/or were vulnerable for the vulnerability CVE-2019-11510  of April 2019. This vulnerability with CVSS score 10.0 enables attackers to read arbitrary files on the vulnerable systems.
The leaked data contains:
- The external IP address of the Pulse Secure server.
- Credentials with username, plaintext password and session cookies of observed VPN sessions.
- Usernames and password hashes of local users.
- Usernames, password hashed and session cookies of administrators.
- Private SSH keys.
It cannot be ruled out that, besides the data of the mentioned 900+ servers, credentials have been extracted from other systems that are or were vulnerable. The Northwave CERT handled multiple incidents in the past months where attackers exploited the vulnerability or credentials leaked by the exploitation of the vulnerability. In these cases, the attackers succeeded in temporarily shutting down companies by installing ransomware.
If leaked credentials have not been changed in time, an attacker can use the credentials to access the corporate network behind the VPN. We assess the potential impact of the abuse of the leaked credentials to be high. This classification only holds if your data is on the list of leaked data!
Since the credentials are publicly accessible, they are very easy to abuse. We assess the risk of this leak therefore to be high. This classification only holds if your data is on the list of leaked data!
Northwave advises to immediately install the available patches , if this has not been done yet. All passwords of users and administrators need to be changed after installing the patch. Additionally, SSH keys need to be replaced if applicable. This advice also remains true if you patched PulseVPN earlier. This credential leak proves that malicious actors have abused this vulnerability to harvest credentials, and if you have been vulnerable, your credentials might be on a non-public list.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.