Credentials stolen from 87,000 unpatched Fortinet SSL-VPNs have been uploaded online. This shocking news was confirmed by Fortinet in a blog post from Wednesday published on their website.
Security experts, however, suspect that the number is much higher. According to the information that is available, a threat actor who claims to have stolen almost half a million Fortinet VPN passwords last year, has leaked a file that includes the VPN credentials for 498,908 users on 12,856 machines. The analysis of the file reveals that, all of the IP addresses are valid Fortinet VPN servers, although the passwords have not been tested.
Another analysis reveals that the IP addresses belong to devices from all around the world. As per the details that have been disclosed, 22,500 entities have been affected in total, with 2,959 of them located in the United States.
While Fortinet has yet to respond to requests for clarification on how many devices were compromised, the company has confirmed that the attackers had exploited a path traversal weakness in Fortinet’s FortiOS (FG-IR-18-384 / CVE-2018-13379), a vulnerability discovered in 2018 and which has been repeatedly exploited since then.
A patch for the flaw was released in May 2019 and since then, Fortinet has reminded its customers multiple times to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. However, even if IT staff patch their VPNs, they must also change device passwords to avoid security risks.
The vulnerability, which was ranked as one of the top 30 most exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA), allows an unauthenticated attacker to download system files by using specially crafted HTTP resource requests via the SSL VPN web interface.
How to Keep Your VPN Safe
Users who want to see if their version is affected by the vulnerability that is responsible for this credential leak can do that by checking Fortinet’s advisory.
Organizations that have been running a vulnerable version are advised to disable all VPNs, upgrade the affected devices without a delay, perform an organization-wide password reset and apply multi-factor authentication, according to Fortinet’s security recommendations.
Researchers are warning that the potential impact of the data leak incident that happened due to this flaw could be significant since attackers may exfiltrate data, install malware, and start ransomware attacks by using the exposed VPN credentials.
More details on the credentials leak reveal that a threat actor known as Orange – who has previously operated the Babuk ransomware campaign and who runs the newly established RAMP hacking forum – was behind the release of Fortinet credentials. What is more, the RAMP forum was used by Orange on Tuesday to host a post which linked to a file containing hundreds of Fortinet VPN accounts.