skout-blog

Cybersecurity Threat Advisory 0049-20: Pulse Secure VPN Server Data Leak

Advisory Overview

Over 900+ Pulse VPN servers were breached and had their data leaked online. The data includes plaintext username, passwords, IP addresses, user session cookies, administrator details and private encryption keys.

Technical detail and additional information

What is the threat?

Based on analysis of the data leaked online, security researchers believe that the threat actor(s) exploited servers utilizing versions of Pulse VPN that were vulnerable to CVE-2019- 11510, in which an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. Metadata of the files and folders in the data leak imply that the compromised data was compiled between June 24th and July 28th, 2020.

Why is this noteworthy?

Pulse VPN issued patches for CVE-2019-11510 in April 2019. If the threat actors did exploit the vulnerability, then the effected servers had likely remained vulnerable until the breach. Since these servers remained vulnerable all this time, there is the possibility that this was not the only compromise of the VPN service, just the only one known about. Furthermore, the leaked data is believed to have been shared amongst threat groups on Russian-Language cyber forums and can be utilized in follow up attacks.

What is the exposure or risk?

Servers effected by the breach would have had their credentials and IP information leaked online which can be used to authenticate to VPN server on the corporate network. Due to the nature of VPN servers, any potential compromise can give an attacker direct, authenticated, access to the network. Not only does it enable an attacker to access the network, but by using “legitimate” authentication an attack may go unnoticed as the breach would appear to be normal authenticated use. This can allow an attacker to operate for longer periods of time within the network before their activity gets noticed.

What are the recommendations?

Pulse VPN server primarily act as a gateway into the corporate network, so any potential compromise should be considered a high impact event. SKOUT recommends any enterprise employing Pulse VPN servers change their VPN credentials immediately and consider changing all credentials within the organization as  protection for a worst-case scenario compromise. We also recommend utilizing MFA when possible.

References:

For more in-depth information about the recommendations, please visit the following links:

  • https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/
  • https://www.tomsguide.com/news/usernames-and-passwords-for-900-vpn-servers-posted-online-in-big-data-breach/

If you have any questions, please contact our Security Operations Center.