VPN login names and passwords of 87,000 FortiGate devices released
Fortinet stated that a threat actor had leaked the VPN login names and passwords linked to 87,000 FortiGate SSL-VPN devices.
Headquartered in Sunnyvale, California, Fortinet is an American multinational which develops and sells cybersecurity solutions, including firewalls, anti-virus protection, intrusion prevention systems, and endpoint security gear.
The credentials were attained from the systems where the vulnerability CVE-2018-13379 remained unfixed when the attacker was scanning the devices. The company stated that they might have been patched, but they still remain vulnerable to attacks in case the passwords are not reset.
Also read: Unpatched vulnerabilities in Mitsubishi PLCs
The attacks were discovered when the hacker chose to leak the credentials without any price on Ramp, the Russian platform, as well as the data leak site of Groove ransomware. Advance Intel pointed out that the breach list contains access to the top companies, which spanned across 74 countries. This includes India, Taiwan, Italy, France, and Israel. The researcher also said that more than 2,900 of the victims were US-based.
The vulnerability CVE-2018-13379 concerns to a path traversal flaw in the FortiOS SSL VPN web portal, allowing attackers to read arbitrary system files, which includes the session file. This holds the usernames and passwords in plaintext.
The bug was patched in May 2019, but since then, multiple attackers have exploited the unpatched devices to deploy malicious payloads. This forced Fortinet to release a series of advisories urging customers to upgrade the impacted appliances.
As per the list prepared by intelligence agencies in Australia, the U.K., and the U.S. earlier in 2021, the flaw was also included in the top exploited flaws of 2020.
Fortinet, in regard to the exploitation, is advising companies to disable all VPNs immediately along with upgrading the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. This is followed by commencing a password reset throughout the organizations with a warning stating that the vulnerability still prevails post-upgrade if the users’ credentials were compromised before.
