Hacker Posts Exploits & Exposes Passwords for Over 49,000 Vulnerable Fortinet VPNs
Updated 30 November 2020
Last week, a list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 was leaked. The situation has evolved: the group behind the leak has begun dumping archives of plain-text credentials and access rights harvested from these devices. These archives are being widely shared across the internet.
In addition to VPN compromise, users listed in the archive may be vulnerable to credential stuffing attacks. Credential stuffing uses such dumps to compromise other accounts where credentials have been reused or permuted. This may lead to further compromises of personal or professional user accounts.
We reiterate the urgency for patching vulnerable Fortinet devices, as well as reviewing logs to identify vulnerable user accounts.
Original Advisory: Tuesday, 24 November 2020
A list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 has been leaked to a hacker forum. The vulnerability is a path traversal flaw which allows unauthenticated remote attackers access to system files via HTTP requests. The leak includes commands to steal login credentials from 49,577 unpatched FortiOS SSL VPN devices.
Researchers have commented that slow patching procedures have left a large number of organisations vulnerable to the two-year-old exploit.
Fortinet has issued a statement with regards to this vulnerability:
“The security of our customers is our first priority. In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade.”
We recommend patching this severe vulnerability immediately and prioritising the review of Fortinet logs.
Spending on cyber defence lowers the risk of a breach but investing in recovery means a quicker return to business. Getting the balance right minimises the impact of a cyberattack.
In a major update to the recent FireEye security incident, it has now been revealed that a sophisticated and long-lasting supply chain attack against technology vendor SolarWinds was responsible for the breach.
Cybersecurity firm FireEye has suffered a sophisticated state-sponsored breach resulting in the theft of their “red team” tools. To help affected organisations understand what they should do, this advisory contains several actionable steps our team suggests and further recommendations for security mechanisms to help manage/prevent these attacks.