A threat actor has dropped a list of nearly 500,000 Fortinet VPN login names and passwords that were scrapped out last summer from useful machines. Although the actor of the threat indicates that many VPN password still apply to repaired the vulnerability of Fortinet.Later they associated with 87,000 SSL – VPN devices.
This leak may cause many issues to allow threat actors to access a network to perform data exfiltration, install malware and perform ransomware attacks.
The company reported as a statement on Wednesday,”These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan.If the passwords were not reset,they remain vulnerable.
FortiOS SSL Web VPN Portal, which allows unauthenticated attackers to access arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. CVE-2018-1337 9 refers to a traverse vulnerability.
A threat actor is otherwise known as “ORANGE”. The manager of the newly established RAMP hacker forum and a past operator of the Babuk Ransomware campaign has disclosed the list of Fortinet passwords free of charge.
The threat actor created a post on a RAMP forum with a link to a file which includes 100s of VPN accounts from Fortinet. A post was also published on the site of the data leak of Groove Ransomware, which also supports the Fortinet VPN leak.
The Scientists stated that ,The list includes routine access to the top firms in 74 countries suchas India,Taiwan,Italy,France and Israel. Finally” US companies represent 2,956 of 22,500 victims.
Earlier this year, a list compiled by intelligence agencies in Australia,UK and the US.CVE – 2018- 13379 was one of the most exploited flaws in 2020.
The bug was rectified in May 2019 that they deploy an array of malware payloads on unpatched devices to create a series of adveisiories in August 2019,July 2020,April 2021.
Later they Conclude that, Fortinet recommends the company to deactivate all of its VPN,upgrade devices to FortiOS 5.4.13,5.6.14,6.0.11 and 6.2.8 than reset the password across the company.finally they warned that,” The credentials of your users have been compromised, so you may remain vulnerably post-upgrade.”
Fortinet recommends the user to take below actions to protect against the credential stuffing attacks.
- Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
- Immediately upgrade affected devices to the latest available release, as detailed below.
- Treat all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.