FortiGate devices leak 87,000 VPN account passwords
A recent hack leaked login and password information associated with over 87,000 FortiGate SSL-VPN devices, developed by network security system provider Fortinet.
The leaked data was first published on September 7th on Russian forums RAMP and Groove. All of the information was disclosed for free and said to contain raw VPN access to “top companies” from 74 countries. 2.959 out of a total of 22,500 victims of the leak are believed to be United States entities. Other affected countries include France, Taiwan, India, Italy, and Israel.
Fortinet confirmed the leak on Wednesday, September 9, stating that:
“These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable”
This vulnerability allows malicious attackers to get access to and read arbitrary system files. Those include the session files which contain the users’ usernames and passwords that can then be used to gain access to the system.
The initial flaw in the system was, in fact, discovered and fixed in May 2019. But it has been continuously exploited by attackers since then to get access to unpatched devices. In fact, this system vulnerability is considered to have been one of the top exploited network flaws in 2020.
In light of the recent leak, Fortinet is recommending that their clients immediately stop the use of any VPNs and upgrade the systems to newer versions. Fortinet also insists on starting a company-wide password reset since systems will remain vulnerable if the users’ login information hasn’t changed even after the patch:
“You may remain vulnerable post-upgrade if your users’ credentials were previously compromised.”