A copy of that list obtained with the assistance of threat intelligence firm KELA was discovered to be authentic with the help of many sources in the cyber-security space. Based on an extensive review, the list features:

VPN session cookiesIP addresses acquired from Pulse Secure VPN serversLast VPN logins with usernames and cleartext passwordsPulse Secure VPN server firmware versionAdmin account detailsA list with all local users and their password hashesSSH keys for every server

A threat intelligence analyst specializing in financial crime, Bank Security, spotted the list and made interesting observations about its content. The security researcher discovered that all of the Pulse Secure VPN servers on the list ran a firmware version vulnerable to the CVE-2019-11510 vulnerability. Bank Security says that the hacker scanned the whole internet IPv4 address space for Pulse Secure VPN servers. Then, they exploited the CVE-2019-11510 vulnerability to access systems, dump server details, and then cumulated all that information in one central repository.

The List

The timestamps in the list, dates of the scans, and the date this list was compiled indicate that the incident happened between June 24 and July 8, 2020. Reporters reached out to a US-based threat intelligence company, Bad Packets, after the list appeared in public. Bad Packets said: The list indicates that the 677 firms did not enhance their security measures since Bad Packet’s first scan in 2019 and the June 2020 scans done by the hackers. Companies should patch their Pulse Secure servers and change passwords to prevent hackers from exploiting leaked credentials to capture devices and spread their internal networks. Pulse Secure VPN servers act as access gateways into corporate networks. They enable staff to connect remotely to the internal applications from across the internet. If compromised, the devices enable hackers to easily access a company’s entire internal network. That is the primary reason why ransomware gangs and APTs have targeted these systems previously.

The list was shared on a hacker forum frequented by many ransomware gangs; which makes it worse for the involved companies. For instance, Avaddon, Makop, the REvil (Sodinokibi), Exorcist, Lockbit, and NetWalker ransomware gangs have threads on this forum as well. They use the platform to recruit affiliates (customers) and members (developers). Most of the gangs perform intrusions into corporate networks. They do it by leveraging network edge devices like Pulse Secure VPN servers. Then, they deploy their ransomware payload and make hefty ransom demands. This publication is a free download. Thus, it is a literal DEFCON 1 danger level. It affects companies that are yet to patch their Pulse Secure VPN over the last 12 months. The gangs active on the forum may use the list for future attacks. Bank Security recommends that all companies must patch their Pulse Secure VPNs and change passwords urgently.