A Russian speaking hacker has posted in plain text the usernames and passwords along with the IP addresses from over nine hundred Pulse Secure Virtual Private Network enterprise servers on the dark web. The threat intelligence firm named KELA had procured the list from the dark web. The list contained enterprise VPN server firmware version of Pulse Secure, all the local users along with their password hashes, the SSH server keys, previous VPN logins having the cleartext credentials, the administration account details and the session cookies.
Multiple cybersecurity sources have verified the authenticity of the leaked list that was released on the dark web. It has also been found that the file was published on a dark web forum that is mostly populated by the prominent ransomware threat actors such as NetWalker and REvil. The Bank Security Researchers first unveiled the data leak. They have keenly observed that the enterprise VPN server that has been listed by the hacker were operating via the firmware version that notably contained the CVE-2019-11510 vulnerability, which had been patched by the victim company in the early months of 2019.
The Department of Homeland Security (DHS) and several other security researchers have urged the organizations repeatedly to patch this critical vulnerability as soon as possible as the hackers were continuously targeting the flaw. All of those target attacks took its trail till January 2020. In April, DHS had warned that the hackers were utilizing the stolen credentials in the bid to crack open into the enterprise networks via the Pulse Secure VPN, even after the vulnerability had been patched.
While finding the vulnerable enterprise VPN server, it appears that the hacker who has compiled the list had scanned the internet IPv4 address between the 24th of June, 2020 and the 8th of July 2020. It leveraged the known vulnerability for accessing the servers. The threat actors then gathered the details and the credentials and had collected the data into a central repository. After reviewing the list, it had been found that 677 companies have failed to patch the vulnerability of the Pulse Secure’s VPN. VPNs are typically one of the most common and the security methods implemented to connect to the network remotely. Since amidst the Covid-19 situation, there is an inevitable expansion in the telehealth and remote connections, the threat landscape has moved to a rather complicated zone.
Pulse Secure CMO Scott Gordon told HealthITSecurity.com in March that in healthcare providers need to be employing endpoint protection and modern VPN solutions “where you’re encrypting communication session between the device and the data between the practitioner’s devices and application.”
“Since you are now expanding VPN use to more sets of employees contracts and affiliates you should for sure that the VPN software is up to date and current to eliminate the potential VPN vulnerabilities,” Gordon said, at the time. “They’ve essentially broadened the attack surface. Every end user accessing information and resources are now part of their attack surface, and they want to do everything they can now that they’ve added greater accessibility.”
Global Security Strategy Director, Juniper Networks, Laurence Pitt says that it is unacceptable that the organizations have failed to patch the vulnerability for over a year after the fix had been provided that permitted the occurrence of the cleartext data dump. Additionally, the security researchers have repeatedly offered the proof-of-concept data showing what exactly could occur in case the vulnerability was left exposed.
“The lesson learned here? Patch, patch, patch,” Pitt said in an emailed statement. “The data published lists only 900 servers. What we do not know is how many more have not been released – or, which of these could be sensitive servers that are now being poked and prodded in planning for a bigger attack.”
“If you are running an older version of code on service as critical as the VPN is today, then find the latest version and get that upgrade planned,” he added.
The healthcare organizations must also review all the insights that have recently been provided by the National Security Agency (NSA) for the better understanding of the risk and the best practice methods for securing the enterprise VPN server, the telework and the other remote websites.
Source: Health Security
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.