Unknown hackers publishes 50,000 Fortinet VPNs users data
Recently, a malicious actor published a list of credentials for nearly 50, 000 Fortinet Inc. As per report, a known vulnerability to the VPN results in the data breach. The list of the vulnerable targets includes high street banks, telecoms, and government organization around the world.
The 6-7 Gigabyte of the compressed database is offered on a popular hacking forum and is claimed to be the “the most complete achieve containing all exploit links and sslvpn websession files with username and passwords.”
“sslvpn_websession” files are exploited using FortiOS CVE-2018-13379 vulnerability. This allows the attackers to collect sensitive data from from Fortinet VPNs. While the file contains the session related information, it may reveal the usernames and passwords of Fortinet VPN users, as well.
Today, threat intelligence analyst, Bank_Security has found a data dump containing “sslvpn_websession” files for every IP address found on the least, on a hacker forum. These files reveal usernames, passwords, access levels and the original unmasked IP addresses of the users to the VPNs.
The critical CVE-2018-13379 or Path Traversal vulnerability disclosed to public last year. Since then, the company has repeatedly alerted its customers about the vulnerability and encouraged them for the patch.
A Fortinet spokesperson told:
“The security of our customers is our first priority. In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade.”
Despite this measure, the critical bug has been extensively exploited because people lack the patch. This is the same flaw that was leveraged by attacked to break into US government elections support systems.
“In the last week, we have communicated with all customers notifying them again of the vulnerability and steps to mitigate. While we cannot confirm that the attack vectors for this group took place via this vulnerability, we continue to urge customers to implement the upgrade and mitigations. To get more information, please visit our updated blog and immediately refer to the May 2019 [PSIRT] advisory,” concluded Fortinet.
Therefore, all the network administrators and security professionals are strongly suggested to patch this severe vulnerability immediately. Also, the users should change their passwords immediately both on VP devices and any other sites where they are using the same passwords.