Hacker published passwords from over 900 corporate VPN servers
The hacker posted on an underground Russian-language forum a list of usernames and passwords, as well as IP addresses for more than 900 corporate Pulse Secure VPN servers.
As reported by the ZDNet edition, which confirmed the authenticity of the data, the list includes the IP addresses of Pulse Secure VPN servers, information about the firmware version of Pulse Secure VPN servers, SSH keys for each server, a list of all local users and their password hashes, administrator account details, cookies - VPN session files, etc.
The list was discovered by an analyst using the pseudonym Bank Security, which specializes in financial crime. All Pulse Secure VPN servers on the list are running a firmware version containing the CVE-2019-11510 vulnerability, the expert noted.
The expert believes that the hacker scanned the Network for vulnerable Pulse Secure VPN servers, exploited the CVE-2019-11510 vulnerability to access systems, and then stole data from the server and collected all the information in one storage.
As noted by the publication, the list was published on a hacker forum, which is often visited by operators of ransomware. For example, REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop and Exorcist communicate in this forum and use it to hire developers and find clients.