A threat actor leaked the VPN login names and passwords for 87,000 Fortinet FortiGate SSL-VPN machines.
Fortinet, a provider of network security solutions, confirmed that these credentials were retrieved from systems that remained unpatched against CVE-2018-13379 during the actor’s scan.
Even if they’ve been fixed, they’re still vulnerable if the passwords haven’t been updated. The threat actor exposed a list of Fortinet credentials for free on a new Russian-speaking forum titled RAMP, which opened in July 2021, as well as on the data leak site for the Groove ransomware.
The breach list, according to the experts at Advanced Intel, contains raw access to the top firms in 74 countries, including India, Taiwan, Italy, France, and Israel. Out of the 22,500 casualties, 2,959 are from the United States.
CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that allows unauthenticated attackers to read arbitrary system files, including the session file, which contains users and passwords saved in plaintext.
Although the vulnerability was addressed in May 2019, it was regularly exploited by multiple adversaries to deliver a variety of malicious payloads to unpatched devices. As a result, in August 2019, July 2020, April 2021, and June 2021, Fortinet was forced to release a series of recommendations advising consumers to upgrade impacted appliances.
CVE-2018-13379 was also rated as one of the most abused vulnerabilities in 2020.
Fortinet recommended all businesses to disable VPNs immediately and update to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and higher. They also advised companies to change their passwords because they may still be vulnerable if the users’ credentials have been hacked previously.
You might also like: