- November 26, 2020
- Posted by: administrator
- Category: Threat News
A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of one-line exploits for CVE-2018-13379 to steal VPN credentials from these devices.
Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.
Leaked files expose usernames, passwords, unmasked IPs
The exploitation of critical FortiOS vulnerability CVE-2018-13379 lets an attacker access the sensitive “sslvpn_websession” files from Fortinet VPNs.
These files contain session-related information, but most importantly, may reveal plain text usernames and passwords of Fortinet VPN users.
Today, threat intelligence analyst Bank_Security has found another thread on the hacker forum where a threat actor shared a data dump containing “sslvpn_websession” files for every IP that had been on the list.
As observed by BleepingComputer, these files reveal usernames, passwords, access levels (e.g. “full-access”), and the original unmasked IP addresses of users connected to the VPNs.
The new data set posted on the forum is merely a 36 MB RAR archive, but when decompressed, expands over 7 GB, at the time of our testing.
The exposure of passwords in these files means, even if the vulnerable Fortinet VPNs are later patched, these credentials could be reused by anyone with access to the dump in credential stuffing attacks, or to potentially regain access to these VPNs.
While the threat actor’s motivations for this second, expansive leak aren’t clear, BleepingComputer did notice, the newly leaked archive has lists marked pak separating out Pakistan-based VPN IPs and corresponding “sslvpn_websession” files from the large 49,000+ VPN data set.
Additionally enclosed is an image file titled,—–” which is a “Yes we can” Adolf Hitler poster created in the style of Obama’s 2008 presidential campaign poster.
To make matters worse, the credential dump is being reposted on other forums and chats.
Fortinet repeatedly tried to warn customers
This week Fortinet told BleepingComputer, ever since the public disclosure of the critical Path Traversal vulnerability (CVE-2018-13379) last year, the company had repeatedly alerted its customers, encouraging them to patch the vulnerable FortiOS instances.
“The security of our customers is our first priority. In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade,” a Fortinet spokesperson told BleepingComputer.
Despite these measures, the critical bug has been extensively exploited in the wild due to a lack of patching.
The same flaw was leveraged by attackers to break into US government elections support systems.
Earlier this year, nation-state threat actors had weaponized the vulnerability to compromise networks and deploy ransomware.
“In the last week, we have communicated with all customers notifying them again of the vulnerability and steps to mitigate. While we cannot confirm that the attack vectors for this group took place via this vulnerability, we continue to urge customers to implement the upgrade and mitigations. To get more information, please visit our updated blog and immediately refer to the May 2019 [PSIRT] advisory,” concluded Fortinet.
Network administrators and security professionals are therefore encouraged to patch this severe vulnerability immediately.
As a safeguard, Fortinet VPN users should change their passwords immediately both on the VPN devices, and any other websites where the same credentials were used.
NOTE:: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only