UPDATED 21:30 EDT / NOVEMBER 25 2020

SECURITY

Hacker publishes credentials stolen from Fortinet’s FortiGate VPNs

A hacker has published a list of credentials for nearly 50,000 Fortinet Inc. FortiGate virtual private networking systems connected to the internet that can be exploited using a known vulnerability.

The 6.7-gigabyte uncompressed database is being offered on popular hacking forums and is claimed to be “the most complete achieve containing all exploit links and sslvpn websession files with username and passwords.” The person offering the database, using the name arendee2018, also claims the database contains links and all web sessions files from the Fortinet devices.

The data had its origins to data stolen on Nov. 19 by a hacker going by the name “pumpedkicks” who published a list of one-line exploits for Fortinet FortiGate IPs containing a vulnerability classified as CVE-2018-13379, HackRead reported. The new published database has used the published exploits to compile credentials and other related data.

The vulnerability was uncovered by researchers in Taiwan in August 2018 and is described as a “path traversal vulnerability in the FortiOS SSL VPN web portal [that] may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.” Fortinet then issued a patch for the vulnerability in May 2019 and warned customers of the need to apply the patch again in August 2019 and July. Unfortunately, not all companies and users regularly apply security updates leaving themselves vulnerable to hacking.

In July Fortinet warned that advanced persistent threat groups — including APT 29, also known as Cozy Bear — were using the vulnerability to target COVID-19 vaccine development in Canada, the U.S. and the U.K. The warning that the vulnerability was being exploited to target COVID-19 research was also made by U.K. National Cyber Security Center and Canada’s Communications Security Establishment with support from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency July 16.

All Fortinet customers are advised, if they haven’t done so already to immediately upgrade all FortiGate systems to the latest firmware releases and to validate that all SSL-VPN local users are expected, with correct email addresses assigned and to perform a password reset on all users.

“In this incident, the exploitation of the specific CVE allowed an unauthenticated attacker to download system files through uniquely crafted HTTP resource requests,” Vinay Sridhara, chief technology officer of security posture transformation firm Balbix Inc., told SiliconANGLE. “By using special elements such as ‘..’ and ‘/’ separators, attackers can get around the restricted location to access files or directories that are elsewhere on the system.”

Sridhara added that about 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. “What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he said.

Image: Fortinet

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU