A brief security information for administrators of Pulse Secure VPN servers. A mass scan of the Internet for Pulse Secure VPN servers has been running for several hours.
Advertising
I just found the information on Twitter. The scan starts from IP 5.101.181.111 and searches for attackable Pulse Secure VPN servers.
⚠️ ⚠️
Mass scanning activity detected from 5.101.181.111 () attempting to exploit Pulse Secure VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2019-11510) leading to disclosure of user passwords and private keys.#threatintel pic.twitter.com/aZuZkLHKtM— Bad Packets Report (@bad_packets) September 8, 2019
At the end of August, I briefly reported on the vulnerability in these products in my blog post Attacks on unpatched Pulse Secure and Fortinet SSL VPNs. The vulnerability CVE-2019-11510 allows attackers to read private keys and user passwords. The vendors released vulnerability updates months ago. So if you administer such a server and haven't patched it yet, you should do so as soon as possible.
