A threat hacker group named “Pumpedkicks” has leaked credentials for 50,000 Fortinet VPN devices that impact 140 countries around the world. Check out Securin’s analysis and recommendations for this vulnerability.
This breach was noticed five days ago by Bank Security, which tweeted that 49,577 IPs are vulnerable to the Fortinet SSL VPN vulnerability CVE-2018-13379. The threat actors have also posted one-line exploits that could be used on CVE-2018-13379 to steal VPN credentials from these devices.
This vulnerability exists in Fortinet with an improper limitation of a path name to a restricted directory (“Path Traversal”) issue, and it affects FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12. Under the SSL VPN web portal, it allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. The NVD has rated this vulnerability with a CVSS V3 Score of 9.8 marked as critical severity.
Securin’s researchers analyzed and found the following information about this vulnerability:
| CVE ID | Exploits | APT Group | Mitigation |
|---|---|---|---|
| CVE-2018-13379 | Web App | APT5 |
CISA and the FBI issued a warning last month underlining attacks on the US government’s local, tribal, and territorial networks in which attackers merge VPN and Windows vulnerabilities.
This breach affects many large enterprises, financial institutions, and government organizations worldwide. The USA tops the list of countries with more than 10,000 vulnerable devices, followed by China and Japan.
The following is the list of affected countries and the count of vulnerable devices.
Users of these devices are advised to change their credentials and passwords. What makes this breach critical is the fact that even if Fortinet were to release a patch for this vulnerability today, the exposed credentials could be used by anyone to access these VPNs. Therefore, changing the password credentials is the first thing that organizations ought to do.
Impact of This Leak
This leak can enable an attacker to access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which could then compromise a network to deploy malware.
For over a year, Fortinet has urged its customers to patch their systems, which has been ignored. Multiple security agencies have issued alerts about this vulnerability. Yet, we have 50,000+ vulnerable devices around the world, which highlights bad patch management and a lack of cyber hygiene in organizations.
The following are our recommendations for network administrators and security professionals:
- Check out Fortinet’s security advisory here and upgrade the devices.
- Changing password credentials is critical.
- Implementing multi-factor authentication for passwords is essential.