Cyber Threat Alert

Pulse Secure VPN Security Breach

Cybercriminals have published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure Virtual Private Network (VPN) enterprise servers, on a hacker forum used by ransomware gangs.

This information provides hackers with a gateway into these networks – if they are not updated quickly.

Pulse Secure is a widely-deployed VPN used by organizations of any size, across every major industry.

WHY THIS MATTERS

Since the COVID-19 outbreak, numerous businesses have shifted to remote work (aka work from home) to remain open for business. Unfortunately, cybercriminals have been able to exploit this shift in our work environments with an onslaught of cyberattacks.

Recently, bad actors published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure Virtual Private Network (VPN) enterprise servers, on a hacker forum used by ransomware gangs.

This information provides hackers with a gateway into these networks – if they are not updated quickly.

This alert provides you with what we know about the cyberattack and suggestions on how to mitigate the financial loss.


DESCRIPTION

ZDNet obtained a copy of the published list (from Bank Security researchers) and verified its authenticity. The list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookies

 The security researchers noted that all the Pulse Secure VPN servers included in the list were running a firmware version with a CVE-2019-11510 vulnerability to gain access to systems, dump server details (including usernames and passwords), and then collected all the information in one central repository.

Based on timestamps in the list, it appears hackers compiled the list between June 24 and July 8, 2020.

Furthermore, the hackers published the list as a free download on a hacker forum used by ransomware gangs – creating a literal DEFCON 1 danger level for any company that has failed to patch its Pulse Secure VPN over the past year.

Threat intelligence company, Bad Packets, advises that companies need to change passwords, in addition to patching their Pulse Secure VPN servers, to avoid hackers abusing the leaked credentials to take over devices, and then spread to their internal networks.

The Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about his vulnerability in January 2020, noting that unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors, and strongly urging users and administrators to upgrade to the corresponding fixes.

The Pulse Secure website states: “Pulse Connect Secure is the most widely deployed SSL VPN for organizations of any size, across every major industry.” As of the time of this alert, the company has not issued a press release.

WHAT THIS MEANS

Ironically, VPN appears on most “recommended security measures” lists during the coronavirus remote work era. Now, we need to take a closer look at VPN cybersecurity and the fallout from this type of security breach.

First, continue to use a remotely accessed digital workspace, such as VPN, despite the recent Pulse Secure VPN security breach.

Second, modifications in VPN practices and procedures are needed, such as patching and updating passwords.

Third, provide support and modified instructions to employees on using VPN to login to the business network to access emails, documents, invoices, client lists, and a host of other confidential or proprietary information. Company-wide dissemination of cyber threats to all employees, remote or otherwise, is critical.

Fourth, this is a different matter altogether from the recent security breaches reported at free VPN providers – which called for upgrading to a paid VPN provider.

CYBER RISKS

This VPN security breach is a wake-up call to organizations that need to be aware of potential cyber risks that arise from remote work and connecting virtually:

Human Error resulting in the release of malware into the network:

  • An employee (during remote work or in the office) clicking on a malicious link in an email, text message, or unsecured website.

Business Email Compromise:

  • An employee tricked into sending or wiring funds to a fake bank account.

Invoice Manipulation deceiving your customers:

  • Your customers or vendors tricked by bad actors using a legitimate email and data to alter a payment or deliver goods or services to the wrong location that is controlled by the bad actor.

Phishing leading to a ransomware attack or a data breach:

  • A ransomware attack that locks your data, demanding a ransom payment to unlock your files or data, during which time you may have a costly business interruption.
  • A data breach via unauthorized access to your computer systems or network, stealing your data, such as personally identifiable information (PII) of clients and employees.

TAKEAWAYS

  • There is an urgent need for organizations to modify their VPN security policy: 1) patch Pulse Secure VPN, 2) change passwords, and 3) disseminate updated cybersecurity threats to all employees.
  • All organizations using VPN should follow the same cybersecurity updates: 1) patch, 2) change passwords, and 3) update employee awareness about cyber threats.
  • More than one-third of organizations have experienced a security incident caused by a remote worker’s actions – which means that secure connections via remote accessed digital workspaces, such as VPN, are recommended. However, adequate cybersecurity measures are needed while using a VPN.
  • The benefits of remote work – continuing business operations -- outweigh the risks if you have robust Stand-Alone Cyber Insurance to help reduce a cyber-related financial loss.

     

Stand-Alone Cyber Insurance Solutions

Stand-Alone Cyber Insurance is your go-to option when you are looking to transfer some of your residual risk (that cannot be adequately mitigated):

  • Social engineering, Funds Transfer Fraud, and Invoice Manipulation coverage
  • Ransomware or cyber extortion coverage, including ransom payments and/or data recovery
  • Data breach coverage, including direct first-party losses and third-party liability and damages
  • Business interruption coverage, including loss of profits and extra expenses incurred during a shutdown of your computer network.
  • Employee training and educational tools to help prevent attacks and protect your network/data

 
This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Cyber Threat Phishing Business Interruption

Cyber Threats Home
Cyber Armada Team
Posted by Cyber Armada Team on Aug 10, 2020 2:48:31 PM
Facebook Linkedin Twitter
Application

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada
Appointment

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment