VPN security alert: 900 servers hit by huge data breach

data breach from VPN
(Image credit: Shutterstock)

A cyber crook has posted the IP addresses of over 900 VPN enterprise servers online, as well as plaintext usernames and user-access passwords, plus user session cookies, administrator details and private encryption keys.

The hacker posted a link to a plaintext list containing the stolen data to a Russian-language cybercrime forum. Each of the breached corporate VPNs was running an unpatched version of Pulse Secure VPN software as recently as a month ago. 

Trove of data

Pulse Secure issued a fix for this flaw in April 2019, but exploits of the flaw began appearing in August 2019, a year ago.

According to ZDNet, the list contains data concerning enterprise users of Pulse Secure VPN, such as IP addresses, firmware versions of individual servers, SSH keys, details of local users, their password hashes, cookies for different VPN sessions and observed remote logins to the servers, the usernames and passwords for which are in plaintext.

Anyone with access to the list could use those plaintext usernames and passwords, or the active session cookies, to log into the VPN servers remote and gain internal access to corporate networks. 

Higher-level attacks could be possible by cracking the password hashes of administrators and internal users, as well as by abusing the private SSH keys.

Catalin Cimpanu of ZDNet was able to view a copy of the list thanks to the support of threat intelligence specialists at cybersecurity firm KELA. The list has since popped up in other places. We at Tom's Guide are looking at a copy of it right now that took us less than a minute to find.

All the breached servers used out-of-date Pulse Secure software and hence were susceptible to vulnerability CVE-2019-11510, as pointed out by cybersecurity expert Bank Security. 

The CVE post explains how “an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability” by exploiting the flaw. 

Exploiting an old flaw

Bank Security thinks that the threat hacker in question was able to create this list by scanning the entire IPv4 address space -- pretty much the entire internet -- for VPN servers using old versions of Pulse Secure software.

The attacker then leveraged the aforementioned flaw to break into each server and copy each server's data during the end of June and start of July.

ZDNet also spoke to threat intelligence company Bad Packets, which began searching for flawed Pulse Secure VPN servers when news broke of the CVE-2019-11510 security flaw a year ago.

"Of the 913 unique IP addresses found in that dump, 677 were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 when the exploit was made public last year,” Bad Packets told ZDNet.

After accessing and putting this information into a list, the hacker uploaded it to a hacker forum that is used by cybercriminal groups like Netwalker, Avaddon, Makop, Exorcist and Revil. 

With free access to this data, such groups could leverage vulnerable Pulse Secure VPN servers to launch devastating ransomware attacks on targets. But the returns on that are diminishing, because some of the same crooks have been using this flaw to attack enterprises using Pulse Secure VPN servers for at least a year.

Administrators of Pulse Secure VPN servers are advised to implement Pulse Secure's security patches and generate fresh passwords for all users.

It also reemphasises the importance of using one of the recommended best VPN services on the web. They are better equipped to encrypt your data and the most impressive - like ExpressVPN and NordVPN - have audited no-logging policies, too, so you can be confident that your data is going nowhere.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!