cyber Vulnerability

Pulse Secure

May 11, 2023 2 min read
Pulse Secure

A hacker had published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.

The list included IP addresses of Pulse Secure VPN servers, Pulse Secure VPN server firmware version
SSH keys for each server, a list of all local users and their password hashes, Admin account details, and Last VPN logins (including usernames and cleartext passwords), and VPN session cookies.

The hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers and used an exploit for the CVE-2019-11510 vulnerability to gain access to systems.

He further dump server details including usernames and passwords, and then collected all the information in one central repository.

Timestamps in the list, the dates of the scans, or the date the list was compiled, were between June 24 and July 8, 2020.

Source: https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/

TPRM report: https://scoringcyber.rankiteo.com/company/pulse-secure?trk=public_profile_profile-section-card_subtitle-click

"id": "pul12323123",
"linkid": "pulse-secure?trk=public_profile_profile-section-card_subtitle-click",
"type": "Data Leak",
"date": "06/2020",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'Pulse Secure',
                        'type': 'Organization'}],
 'attack_vector': 'Exploit of CVE-2019-11510 vulnerability',
 'data_breach': {'number_of_records_exposed': 'More than 900',
                 'type_of_data_compromised': ['usernames',
                                              'passwords',
                                              'IP addresses',
                                              'SSH keys',
                                              'password hashes',
                                              'Admin account details',
                                              'VPN session cookies']},
 'description': 'A hacker published a list of plaintext usernames and '
                'passwords, along with IP addresses for more than 900 Pulse '
                'Secure VPN enterprise servers. The list included IP addresses '
                'of Pulse Secure VPN servers, Pulse Secure VPN server firmware '
                'version, SSH keys for each server, a list of all local users '
                'and their password hashes, Admin account details, and Last '
                'VPN logins (including usernames and cleartext passwords), and '
                'VPN session cookies.',
 'impact': {'data_compromised': ['usernames',
                                 'passwords',
                                 'IP addresses',
                                 'SSH keys',
                                 'password hashes',
                                 'Admin account details',
                                 'VPN session cookies'],
            'systems_affected': 'Pulse Secure VPN servers'},
 'initial_access_broker': {'entry_point': 'CVE-2019-11510 vulnerability',
                           'reconnaissance_period': ['June 24',
                                                     'July 8, 2020']},
 'post_incident_analysis': {'root_causes': 'Exploit of CVE-2019-11510 '
                                           'vulnerability'},
 'title': 'Pulse Secure VPN Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'CVE-2019-11510'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.