Critical Infrastructure Security , Cybercrime , Fraud Management & Cybercrime
CISA Warns of Password Leak on Vulnerable Fortinet VPNsAgency Says Hackers Can Use a Known Bug for Further Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency is warning about a password leak that could affect vulnerable Fortinet VPNs, which could lead to possible further exploitation.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The agency's latest alert, issued Friday, came a few days after security researchers reported that threat actors are claiming to have published the leaked passwords on underground forums.
While CISA stopped short of confirming the authenticity of the password leak, the agency is urging users of Fortinet gear to check with the company about patches and fixes and to review logs to check for suspicious activity.
"Fortinet has released a security advisory to highlight mitigation of this vulnerability," according to the notification. "CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity."
CISA notes that attackers may try to take advantage of a longstanding vulnerability in the FortiOS system files dubbed CVE 2018-13379, which could lead to further exploitation. Fortinet has been urging its users to patch for this flaw since it was first discovered by researchers in 2019.
"Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users," according to the Fortinet alert. "An attacker would then not be able to use stolen credentials to impersonate SSL VPN users."
Earlier this month, a security researcher who goes by the handle Bank_Security noted on Twitter that threat actors appear to have posted clear text credentials associated with Fortinet IPs that are vulnerable to CVE-2018-13379. This bug is a pathname vulnerability that can allow hackers to download system files from the affected systems.
BREAKING: Threat Actor "arendee2018" shared the plaintext credentials related to the same Fortinet Vulnerable IPs list. https://t.co/F4o9xzjGJ4 pic.twitter.com/YYWpI1NUaC— Bank Security (@Bank_Security) November 24, 2020
Bank_Security first tweeted about the exposed Fortinet passwords on Nov 19. In this tweet, the researcher noted that the leaked passwords belonged to 49,577 IPs associated with Fortinet SSL VPNs and were being sold by a hacker named "pumpedkicks."
Earlier this week, the researchers tweeted that another hacker, named "arendee2018," is also sharing the clear-text passwords. Bleeping Computer, which analyzed the data posted by the hackers, reported that the exposed information included Fortinet users' names, passwords and unmasked IPs of the virtual private networks.
The main concern is that, if the Fortinet VPNs are not patched against the vulnerabilities, these credentials could allow an attacker to return and regain access to the VPN and the larger network.
This is similar to a warning CISA posted in April concerning vulnerable Pulse Secure VPNs. The agency noted that users of these VPNs need to update administrative passwords, even if patches were applied, because threat actors could use stolen credentials to reenter a network (see: CISA Warns Patched Pulse Secure VPNs Still Vulnerable).
In October, CISA warned that hackers are chaining vulnerabilities, including the Fortinet VPN bug, with the Zerologon Windows Server flaw to target local networks in the U.S. At the time, CISA said the hackers were using the tactics to gain access to election support systems within government networks, although no election data compromise was detected by the agency (see: Hackers Chaining 'Zerologon,' Other Vulnerabilities ).
In July, Fortinet acknowledged that Russian advanced persistent threat group APT29 was exploiting CVE-2018-13379 to steal information and intellectual property relating to the development and testing of COVID-19 vaccines from various organizations in Canada, the U.S. and the U.K.
"Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States," according to the CISA notification issued Friday.
When the Fortinet vulnerability was first discovered in August 2019, security researchers at the Chicago-based threat intelligence firm Bad Packets warned that hackers have been hunting for SSL VPNs manufactured by Fortinet to steal passwords and other sensitive data, which was then used to gain full, remote access to organizations' networks (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).