A hacker has published a list of credentials for nearly 50,000 Fortinet Inc. FortiGate virtual private networking systems connected to the internet that can be exploited using a known vulnerability.
The 6.7-gigabyte uncompressed database is being offered on popular hacking forums and is claimed to be “the most complete achieve containing all exploit links and sslvpn websession files with username and passwords.” The person offering the database, using the name arendee2018, also claims the database contains links and all web sessions files from the Fortinet devices.
The data had its origins to data stolen on Nov. 19 by a hacker going by the name “pumpedkicks” who published a list of one-line exploits for Fortinet FortiGate IPs containing a vulnerability classified as CVE-2018-13379, HackRead reported. The new published database has used the published exploits to compile credentials and other related data.
The vulnerability was uncovered by researchers in Taiwan in August 2018 and is described as a “path traversal vulnerability in the FortiOS SSL VPN web portal [that] may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.” Fortinet then issued a patch for the vulnerability in May 2019 and warned customers of the need to apply the patch again in August 2019 and July. Unfortunately, not all companies and users regularly apply security updates leaving themselves vulnerable to hacking.
In July Fortinet warned that advanced persistent threat groups — including APT 29, also known as Cozy Bear — were using the vulnerability to target COVID-19 vaccine development in Canada, the U.S. and the U.K. The warning that the vulnerability was being exploited to target COVID-19 research was also made by U.K. National Cyber Security Center and Canada’s Communications Security Establishment with support from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency July 16.
All Fortinet customers are advised, if they haven’t done so already to immediately upgrade all FortiGate systems to the latest firmware releases and to validate that all SSL-VPN local users are expected, with correct email addresses assigned and to perform a password reset on all users.
“In this incident, the exploitation of the specific CVE allowed an unauthenticated attacker to download system files through uniquely crafted HTTP resource requests,” Vinay Sridhara, chief technology officer of security posture transformation firm Balbix Inc., told SiliconANGLE. “By using special elements such as ‘..’ and ‘/’ separators, attackers can get around the restricted location to access files or directories that are elsewhere on the system.”
Sridhara added that about 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. “What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he said.