Back on November 19, 2020, a hacker going by the named “pumpedkicks” posted the credentials of approximately 50,000 Fortinet VPN users. According to Bleeping Computer, among the targets included in the list are telecom companies, high street banks, and government organizations.
Posted by the hacker in question is the list of one-line exploits for CVE-2018-13379. Silicon Angle says that the list of published credentials was used to create and publish a new database in an attempt to further exploit the data provided.
All 50,000 credentials were housed in a 6.7-gigabyte uncompressed database. The database is offered on a number of hacking platforms is the product of a hacker under the username “arendee2018.” The database is said to be “the most complete achieve containing all exploit links and sslvpn websession files with username and passwords.”
Bleeping Computer said that the sslvpn_websession files found for every IP on the list contained not only usernames, passwords, and access levels, but also the unmasked and original IP addresses of users of the Fortinet VPN.
Prior to this incident, Silicon Angle reports that the vulnerability classified as CVE-2018-13379 was first discovered in August 2018 by security researchers in Taiwan. The researchers described the vulnerability as a “path traversal vulnerability in the FortiOS SSL VPN web portal that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTPS resource requests.”
While Silicon Angle reveals that Fortinet issued a patch for the flaw sometime in May 2019, the company emphasized the need for users to update their system in August of the same year and July of 2020.
The July 2020 incident came to light after the VPN company acknowledged that varying threat groups used the vulnerability in its system to obtain COVID-19 vaccine information in the United States, United Kingdom, and Canada, reports Bank Info Security.
The exposure of the said VPNs from Fortinet leaves thousands of users at risk not only of credential stuffing attacks, but also to account takeover exploits. In a statement to Silicon Angle, chief technology officer of Balbix Inc. Vinay Sridhara said these unwanted circumstances could happen even if the vulnerability is patched time and again.
Following the data leak, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to the public, particularly users and clients of Fortinet, to contact the said agency regarding patches and fixes. CISA also urged users to review their respective logs to gauge any malicious or suspicious activities.
