5 August 2020

Hacker published passwords for over 900 corporate VPN servers


Hacker published passwords for over 900 corporate VPN servers
A hacker posted on a Russian-speaking forum a list of usernames and passwords, along with IP addresses for more than 900 corporate Pulse Secure VPN servers.

ZDNet confirmed the authenticity of the data and reported, that the list includes IP addresses of Pulse Secure VPN servers, firmware version of Pulse Secure VPN server, SSH keys for each server, a list of all local users and their password hashes, administrator account details, VPN session cookies, etc.

The list was discovered by the Bank Security, a threat intelligence analyst specialized in financial crime. According to the expert, all Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the CVE-2019-11510 vulnerability.

The expert believes that hacker who compiled this list scanned the entire internet IPv4 address space for Pulse Secure VPN servers, used an exploit for the CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

The list was published on a hacker forum, which is often visited by ransomware operators. For example, REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop and Exorcist have threads on the same forum, and use it to recruit members (developers) and affiliates (customers).

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024