A hacker published a list of 50,000 credentials stolen from vulnerable Fortinet SSL VPNs. The data leak contained a list of one-line exploits for Fortinet’s FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 bug. The vulnerability allows an attacker to steal VPN credentials from the SSL VPN web portal. The latest breach is considered “the most complete sslvpn websession exploit” with both usernames and passwords. A hacker named “pumpedkicks” was suspected of stealing the data on November 19.
Data exposed in Fortinet’s VPN credentials data leak
The data leak exposed details including usernames, passwords, unmasked IPs of organizations, including banks, telecoms, and government agencies. The data leak also included compromised devices’ session-related information.
Coincidentally, Bank_Security, a threat intelligence analyst, discovered another data leak containing a dump of the “sslvpn_websession” files for every IP exposed in the initial exploit.
That data leak contained usernames, passwords, access levels, for example, “full-access,” alongside the original unmasked IP addresses of users connected to the compromised VPN servers.
The subsequent data leak widely shared on hacking forums and chats originated from a threat actor named “arendee2018.” It had 7 GB of decompressed data, which was stored in a 36 MB RAR archive. Additionally, it had a separate list marked “Pak” exclusively containing VPN credentials for the leaked Pakistan IP addresses.
The exposure of the vulnerable Fortinet VPNs credentials leaves the users at the risk of credential stuffing attacks and subsequent account takeover (ATO) exploits.
Consequently, users whose VPN credentials were leaked should reset their online accounts that shared login credentials with the compromised VPNs.
Details of the Fortinet VPN vulnerability exploited by the attackers
The data leak originated from a path traversal vulnerability in the FortiOS SSL VPN web portal (CVE-2018-13379). The bug allows “an unauthenticated attacker to download FortiOS system files through special HTTP resource requests.”
Fortinet had issued a PSIRT alert in May 2019 advising its customers to patch their FortiOS instances since the path traversal vulnerability was discovered by Taiwan researchers in 2018. Additionally, Fortinet had advised its customers to upgrade their systems in several blog posts dated May and July 2020.
The tech firm also warned that advanced persistent threat actors (APT) such as APT 29 or Cozy Bear were using Fortinet’s FortiOS VPN vulnerability to target COVID-19 research in Canada, Britain, and the United States.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA) also issued an alert warning that threat actors combined Fortinet VPN and Zerologon vulnerabilities to compromise federal, state, local, tribal and territorial (SLTT) government networks.
The path transversal bug is among many faults plaguing Fortinet VPN devices. SAM Seamless Network researchers found that 200,000 Fortinet VPN devices had default settings, leaving them vulnerable to man-in-the-middle (MiTM) attacks. They found that the attackers could spoof the SSL certificates and redirect traffic to a compromised server and harvest their VPN credentials.
The bug exists because Fortigate SSL VPN is not adequately protected under the default configuration because of an SSL verification vulnerability. The devices ship with a default certificate issued by Fortinet using the device serial number as the certificate’s name.
Additionally, the SSL client only verifies if the certificate was issued by Fortinet or any trusted Certificate Authority (CA). Attackers could therefore provide any valid Fortigate certificate issued for another router without raising any security warnings. Consequently, they could intercept traffic and collect data, including VPN credentials such as usernames and passwords.
Fortinet VPN credentials leak shows the importance of practicing healthy cyber hygiene, including the use of multifactor authentication, according to Balbix CTO Vinay Sridhara.
“In this incident, the exploitation of the specific CVE allowed an unauthenticated attacker to download system files through uniquely crafted HTTP resource requests. By using special elements such as ‘..’ and ‘/’ separators, attackers can get around the restricted location to access files or directories that are elsewhere on the system,” Sridhara says. “About 50,000 records belonging to banks, telecoms, and government organizations were exposed by this data leak, including session-related information and plain text usernames and passwords of Fortinet VPN users.”
Sridhara notes that even if the vulnerability was patched, the leaked VPN credentials are still at risk of being used for credential stuffing attacks.
“Organizations must verify that passwords are not compromised before they are activated and consistently check the status of passwords,” Sridhara continues. “Given that the amount of compromised credentials continues to grow, checking passwords against a dynamic database rather than a static list is critical.”
He advises organizations to “get visibility into password reuse” for critical accounts and force multifactor authentication for any account accessing sensitive data.