Hey, guys! How y’all holding up? I’m back with some good stuff!
In today’s blog, we’re going to look at the warning given by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) regarding a password leak that has the potential of impacting exposed Fortinet VPNs, which in return could open up the door to more serious problems.
A few days after security researchers revealed that there are threat actors declaring to have published the leaked passwords in dark web forums, CISA has issued this warning on the 27th November 2020.
While CISA isn’t confirming the authenticity of the leaked passwords, the agency is actively pushing for users of Fortinet to immediately check with the company about patches, fixes and also to go through logs to identify any suspicious activity.
According to the warning given by CISA,
"Fortinet has released a security advisory to highlight mitigation of this vulnerability. CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity.”
CISA also highlights that threat actors might use this opportunity to take advantage of a perpetual critical security flaw in the FortiOS system files dubbed CVE-2018-13379, which could also lead to further exploitation. Fortinet has been spurring its users to apply the patch for this critical vulnerability since 2019 when it was first discovered by researchers.
This is an excerpt of Fortinet’s alert:
“Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.”
A closer look at the leaked passwords
Early last month, a security researcher who calls themselves Bank_Security, had put up a tweet on Twitter saying that threat actors seemed to have posted clear text credentials related with Fortinet IPs exposed to CVE-2018-13379. This flaw is a pathname vulnerability that can enable attackers to download system files from the affected systems.
In their first tweet about the revealed Fortinet credentials on 19th November 2020, Bank_Security mentioned that the exposed passwords belonged to 49, 577 IPs linked to Fortinet SSL VPNs and were being sold by a hacker named "pumpedkicks."
Figure 1: Hacker “pumpedkicks” announcement about the 49, 577 leaked passwords
Figure 2: Clear-text passwords
Late last month, the researchers once again tweeted that the leaked passwords were being shared in clear-text. The only difference this time was that it was being done by another hacker who goes by “arendee2018”. When Bleeping Computer analyzed the data posted by the attackers, they discovered the disclosed information included Fortinet users' names, passwords and unmasked IPs of the virtual private networks.
Figure 3: Announcement made by hacker “arendee2018”
So, what’s the way out?
Apply the patches against the vulnerabilities and change your passwords!
If Fortinet VPNs are not patched properly, then these leaked credentials would definitely open up a can of worms for users because hackers can not only access the VPN and the larger network, but they can do it again and again whenever and as much as they want.
The warning given by CISA is kindred to the one they pushed out in April 2020 regarding vulnerable Pulse Secure VPNs. The agency had informed that even if patches have already been applied, the users of these VPNs need to update administrative passwords. This is because a threat actor could utilize stolen credentials to re-emerge in a network again.
If you want to know more, feel free to have a look at the blog I’ve written about Fortinet and its most popular vulnerabilities among threat actors, titled “VPN and remote access tools widen the enterprise attack surface” back in April 2020.
That’s it for today’s blog, y’all! Feel free to drop comments and share this blog if you found it useful.
Stay safe and stay tuned.
Until next time, friends!