A list of leaked passwords in plaintext (along with other sensitive information) from over 900 Pulse Secure Enterprise VPN servers was published on a Russian underground forum that is frequented by known ransomware gangs.
The cause of the leak has been traced back to unpatched servers exploited by a vulnerability that was discovered and patched in April of 2019, and has been known to be used as the entry point for targeted ransomware attacks.
Leaked passwords and usernames in plaintext, includes SSH keys and local user hashes
Information exfiltrated from the 900 enterprise VPN servers that were compromised includes leaked passwords and usernames in plaintext, server IP addresses and SSH keys, lists of all local users with password hashes, details about admin accounts and VPN session cookies. The attacks took place between June 24 and July 8 of this year.
The breach was discovered by financial industry threat intelligence specialist Bank Security, who noted that all of the compromised enterprise VPN servers were running a version of firmware that was vulnerable to the CVE-2019-11510 exploit. This vulnerability was first reported to the public and a patch released in late April of 2019. It is specific to the Pulse Connect Secure SSL VPN service, and has been highly targeted by threat actors (particularly ransomware gangs) as it is considered very easy to exploit and potentially opens the door to the entirety of a company network.
Bank Security theorizes that the attacker scanned the IPv4 address space for servers running Pulse Secure enterprise VPN and used this known exploit against those that were still running outdated versions. ZDNet reports that another security firm, Bad Packets, noticed that 677 of the 900+ exploited enterprise VPN servers had been spotted by similar scans made by their security researchers in 2019.
Enterprise VPN customers need to manually patch the servers from their end; hundreds are now learning a costly lesson about timely patching of serious vulnerabilities. Pulse Secure issued a statement addressing the leaked passwords, noting that they have been reaching out to customers about CVE-2019-11510 through several different lines of communication since April of last year and continues to provide free 24/7 support to customers in implementing the patch. The Department of Homeland Security also issued a warning about the vulnerability last April.
Enterprise VPN security lessons
The first (and most glaringly obvious) takeaway from this latest tale of leaked passwords is that patching of critical vulnerabilities needs to be kept up on, and that security services do not necessarily handle every aspect of that end of things for the client. While the breach was regrettable, Pulse Secure did everything possible in releasing a patch quickly and repeatedly reaching out to its clients to warn them and to offer free assistance. After over a year of exposure prior to the breach, its clients have no one but themselves to blame for not addressing a known critical issue. As CEO of Gurucul Saryu Nayyar observes: “Even with rigid change management procedures, there is no excuse for putting off patching vital security infrastructure for months. While advanced security analytics tools can identify an unauthorized user with stolen credentials, the best practice is to keep security patches up to date and keep the bad guys out in the first place.”
Though there are likely very few organizations that are doing absolutely nothing in terms of assigning IT resources to keeping up with patches, it is an area that often falls by the wayside when budgets and manpower get tight. Organizations often turn to automated scanners to address this; while they can be a helpful supplement, Point3 Security’s VP of Strategy Chloé Messdaghi points out why they should not be relied on: “Too many organizations are overly-dependent on scanners to discover what needs to be patched. They’re useful and a security check off item but they provide only the extreme bare minimum information. There’s no prioritization, and a lot of scanners are not up to date and can’t provide a trustworthy view into what’s critical to patch immediately, what may be a lower priority but requires timely action, and what may have less risk. Scanners are one tool the companies should use but should not be totally reliant on. Another risk is that companies may patch flaws but never fully test those patches.”
But even if organizations are committed to good security practices, there is a substantial elevated risk for leaked passwords that stems from the extensive shift to remote work models in the wake of the Covid-19 pandemic. Martin Cannard, VP of Product Strategy for Stealthbits Technologies, suggests that while companies may not be equipped to fully tackle this new scenario immediately, there are certain priority items they can address to greatly reduce the likelihood of leaked passwords and sensitive data exfiltration: “Building a security program designed to adequately address the most prevalent threats a remote workforce poses isn’t likely to happen as quickly as most organizations need it to. However, that doesn’t mean that focus on other components of the security equation can’t be just as effective (or even more so) when considering what it is that attackers need to do once they’ve made it past the front gate. Everyone knows that attackers seek privileged access rights as their mechanism to gain access to systems and applications housing the data they ultimately look to exfiltrate from an organization. Therefore, stifling lateral movement and privilege escalation opportunities can be quite fruitful in and of itself, but also as a way to mitigate the inefficiencies or vulnerabilities that can’t be immediately addressed at the perimeter. Owning the firewall or network device gets you through the door, but aside from DoS attacks, you still need a mechanism to launch an attack. The reduction of privileged accounts and use of more modern Privileged Access Management concepts like Activity Tokens adds a further layer of defense that can make the attacker’s small win a failure in the grander scheme of things.”
Along that line, Eddy Bobritsky, CEO of Minerva Labs, suggests implementation of one-time passwords (OTP) as an immediate move that can help as a backstop when a patch gets overlooked or goes untested: “Using OTP will solve the problem and, of course, in such a scenario they should patch the servers and reset all passwords. In addition, they should protect the remote endpoints from future attacks, as well.” The most effective implementation of this system is as a two-factor authentication (2FA) measure that uses a local security token of some sort to generate a password for each user. While effective, this method is not failsafe and can be compromised by phishing attempts when attackers are aware that it is in place. But in this case, it would have at least protected customer logins and made the leaked passwords a non-issue.