{
	"id": "109db929-1d81-49d2-bba2-8cf0abbd1068",
	"created_at": "2026-04-06T01:31:07.135875Z",
	"updated_at": "2026-04-10T13:12:51.641144Z",
	"deleted_at": null,
	"sha1_hash": "1d646c1ca3cad0fc1555a00366c428b276819bbe",
	"title": "Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 838379,
	"plain_text": "Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN\r\nCredentials Leaked\r\nBy Victoria Kivilevich, KELA Cyber Team, KELA Cyber Team\r\nPublished: 2020-12-03 · Archived: 2026-04-06 00:58:01 UTC\r\nBy Victoria Kivilevich\r\nEdited by KELA Cyber Team\r\nUpdated December 3, 2020\r\nRising ransomware attacks around the world, together with the recent lists of exposed Pulse Secure VPN\r\ncredentials set the backdrop for KELA’s latest research. While not all ransomware attacks used CVE-2019-11510\r\n(a vulnerability of unpatched Pulse Secure VPN servers) or the previously shared credentials to the compromised\r\ncorporate networks, it does add another layer to the analysis of possible initial infection vectors used in\r\nransomware incidents. Moreover, the recent exposure of credentials to nearly 50,000 vulnerable Fortinet\r\nVPNs raises further concern of possible infection vectors that can be used for ransomware attacks.\r\nOur key findings include:\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 1 of 7\n\nFive victims of ransomware attacks whose credentials to their Pulse Secure VPN servers were\r\nexposed as part of two Pulse Secure VPN lists (i.e., directories with folders and files) that were shared by\r\nmalicious actors in August 2020.\r\nData of three of the victims were leaked to ransomware gangs’ blogs in an attempt to force them to\r\npay a ransom. Based on KELA’s conversation with threat actors related to the attack, at least one victim\r\n(unnamed) paid the ransom.\r\nA threat actor involved in the attack confirmed that they gained initial access to at least one\r\ncompromised network via the CVE-2019-11510.\r\nProactive monitoring of darknet threats, such as the Pulse Secure VPN lists, helps enterprise defenders\r\nsecure their networks and prevent further, more sophisticated attacks, such as ransomware attacks.\r\nExploiting the CVE-2019-11510\r\nA vulnerability in Pulse Secure VPN servers, tracked as CVE-2019-11510, is one of the most popular flaws\r\nexploited by ransomware gangs to deploy encrypting malware. Travelex, for example, is among the victims\r\ncompromised through this flaw.\r\nThe ransomware operators or their affiliates often use vulnerabilities to gain access to the targeted network,\r\nescalate privileges, move laterally, and eventually infect the system with ransomware. In some cases, the operators\r\ndon’t exploit the vulnerabilities by themselves — instead, they buy so-called network access from initial access\r\nbrokers who had already exploited the flaws, gained privileges, and now sell access via RDP, VPN, or other\r\nmeans.\r\nA recent incident involving the disclosure of Pulse Secure credentials created an opportunity to analyze the CVE-2019-11510 exploitation’s internal procedures. As we reported in August 2020, a list of plaintext usernames and\r\npasswords, along with IP addresses of more than 900 Pulse Secure VPN enterprise servers, was posted on a\r\nRussian-speaking underground forum (we’ll call it the first Pulse Secure list).\r\nDarknet chatter indicates the information circulated among malicious actors even before sharing the list. But it\r\ndoesn’t mean threat actors were sharing this list; It’s more likely that the actors compiled lists based on open-source research and an automated script weaponizing CVE-2019-11510. For example, a few days after the original\r\nlist was shared, another threat actor shared an archive of credentials to vulnerable Pulse Secure VPNs (the second\r\nPulse Secure list).\r\nA threat actor shares a “similar archive” collected over 45 days\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 2 of 7\n\nThis second list featured more than 300 IP addresses; however, only 131 items were unique compared to the first\r\nleak. This finding proves that multiple threat actors targeted the same companies through vulnerable Pulse Secure\r\nVPN servers, tracing victims through open-source tools, specifically Shodan. Out of five victims discussed in this\r\npost, two still have their IPs present in Shodan results when using the same dork as threat actors looking for a\r\nPulse Secure VPN server.\r\nAn initial access broker, who’s primary TTPs include exploiting CVE-2019-11510, describes searching for other\r\nvulnerable targets – create a tailored search query on Shodan, export the retrieved addresses and use a public\r\nexploit against the vulnerability.\r\nThese findings confirm that multiple threat actors might target vulnerable companies for different purposes,\r\nincluding ransomware deployment.\r\nThe Victims\r\nKELA discovered five recent ransomware victims in the Pulse Secure lists, indicating that these victims’ initial\r\ninfection vector could be credentials obtained either from the lists or independently through the same\r\nvulnerability. Victims were attacked by different ransomware gangs: Egregor, LockBit, Sodinokibi, Maze, and an\r\nunknown group. The incidents illustrate how an unpatched Pulse Secure flaw can result in successful, lucrative\r\nransomware attacks.\r\nAmerican Video Delivery Solutions Provider\r\nOn August 30, an initial access broker and a known collaborator of the Sodinokibi ransomware gang listed a new\r\nvictim on their Twitter account: an American video delivery solutions provider.\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 3 of 7\n\nA few days later, the broker contacted KELA offering proof of a successful ransomware attack. He said he plans to\r\npost the stolen data on a well-known Russian-speaking underground forum.\r\nAn IP belonging to the company appeared in the first Pulse Secure list. Answering KELA’s questions, the broker\r\nconfirmed he used CVE-2019-11510 to obtain access to the compromised network. He claimed to work with\r\nLalartu, a well-known affiliate of Sodinokibi, suggesting that he sold the initial access to this affiliate.\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 4 of 7\n\nUnfortunately, in this scenario, as stated by the broker, the ransomware operators eventually received the ransom,\r\namounting to $100K- $300K. The broker probably took a share and didn’t sell it for the fixed price since he made\r\nsignificant efforts to intimidate the victim and force them to pay. In a recent interview, Sodinokibi acknowledged\r\ntheir affiliates receive 70-80% of the ransom, meaning a potential gain of $70K-$240K in this attack.\r\nThe broker shares details of the attack with KELA, probably attempting to pressure the victim\r\nBarnes \u0026 Noble\r\nFive IP addresses of Barnes \u0026 Noble were present in both Pulse Secure lists, implying the company was\r\nvulnerable to CVE-2019-11510. In October 2020, the company disclosed it was a victim of a ransomware attack.\r\nThe Egregor ransomware gang, which emerged in September 2020 as a possible successor to Sekhmet, claimed\r\nresponsibility for the attack on its blog.\r\nWhile the initial infection vector in this attack remains unknown, Barnes \u0026 Noble’s Pulse Secure VPN credentials\r\nwere already exposed in the darknet three months ago. Attackers obtained the credentials using the CVE-2019-\r\n11510 vulnerability, which means that at some point, the company had unpatched Pulse Secure VPN servers. This\r\ninitial hypothesis was later revoked when an actor involved in the attack shared that he did not exploit vulnerable\r\nPulse Secure credentials in order to access Barnes \u0026 Noble’s network.\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 5 of 7\n\nSK Hynix\r\nMaze attacked the South Korean memory and semiconductor manufacturer SK Hynix, one of the world’s top\r\nhardware companies reporting $22 billion in revenue, in August 2020. The attackers stole documents, including\r\nemails relating to price negotiations with clients like Apple and IBM. The company had one IP in the Pulse Secure\r\nlist – in Italy, where the company’s European R\u0026D Centre is situated. While no details of the attack are\r\nknown, exploitation of CVE-2019-11510 is among Maze’s TTPs.\r\nA Vietnamese IT Corporation\r\nBased on confidential information obtained by KELA, a Vietnamese IT corporation suffered a ransomware\r\nincident in August 2020. Two of the company’s IP addresses were exposed in the Pulse Secure lists, one of them\r\npresent in both lists – suggesting several threat actors might target it. Based on TTPs used in the attack, Maze\r\ncould be responsible, although the ransomware gang has not mentioned the company online, and there were no\r\nmedia reports of the incident.\r\nJapanese Manufacturing Company\r\nLockBit ransomware operators launched an attack against this Japanese manufacturing company. The gang first\r\nexposed the victim in a thread on a Russian-speaking underground forum, listing a .cn domain, indicating the\r\ntarget was a Chinese branch. A few days later, LockBit listed the victim on their blog without mentioning any\r\ndomain names.\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 6 of 7\n\nThe victim announced in the LockBit’s thread\r\nThe victim shared on the LockBit’s website\r\nWhile malicious actors often leverage Pulse Secure flaws to launch ransomware attacks, we usually discover the\r\ninitial infection vector after the incident occurred and the investigation has been concluded.\r\nHowever, as our post indicates, it is possible to prevent some intrusions by regularly monitoring darknet forums\r\nand repositories in order to detect potential threats to organizations. Organizations globally are continually\r\nthreatened by the exposure and ongoing circulation of their sensitive credentials that are posted on the web.\r\nTaking into consideration the nature of the underground ecosystem, the credentials exposed in recent instances\r\n(such as the exposures of the Pulse Secure VPNs and Fortinet VPNs) will likely continue to be leveraged for more\r\ncrucial cyber-attacks, creating a greater need for enterprise defenders to monitor weakness in their networks and\r\nexposure of their data in the Dark Net.\r\nSource: https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nhttps://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/"
	],
	"report_names": [
		"easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked"
	],
	"threat_actors": [],
	"ts_created_at": 1775439067,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d646c1ca3cad0fc1555a00366c428b276819bbe.pdf",
		"text": "https://archive.orkl.eu/1d646c1ca3cad0fc1555a00366c428b276819bbe.txt",
		"img": "https://archive.orkl.eu/1d646c1ca3cad0fc1555a00366c428b276819bbe.jpg"
	}
}