During November 2020 it appears that a hacker had posted a list of one-line exploits for CVE-2018-13379 to steal Fortinet VPN credentials, extracting data from these devices. The incident has been reported by Bleeping Computer.
Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world. These files contain session-related information, but most importantly, may reveal plain text usernames and passwords of Fortinet VPN users. The exposure of passwords in these files means, even if the vulnerable Fortinet VPNs are later patched, these credentials could be reused by anyone with access to the dump in credential stuffing attacks, or to potentially regain access to these VPNs.
Looking at the matter for Digital Journal is Dr. Vinay Sridhara, CTO of Balbix.
According to Sridhara: “This breach showcases the importance of establishing and maintaining basic cyber hygiene, including multifactor authentication (MFA). In this incident, the exploitation of the specific CVE allowed an unauthenticated attacker to download system files through uniquely crafted HTTP resource requests.”
Providing more detail about the attack, Sridhara says: “By using special elements such as “..” and “/” separators, attackers can get around the restricted location to access files or directories that are elsewhere on the system. “
In terms of the implications, Sridhara notes: “About 50,000 records belonging to banks, telecoms, and government organizations were exposed by this data leak, including session-related information and plain text usernames and passwords of Fortinet VPN users.”
Against this fact, Sridhara pulls out the key issue: “What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks.”
In terms of a best practice response, Sridhara recommends: “Strong password hygiene must be a top priority for every company and user. Organizations must verify that passwords are not compromised before they are activated and consistently check the status of passwords.”
The analyst adds what else users need to consider: “Given that the amount of compromised credentials continues to grow, checking passwords against a dynamic database rather than a static list is critical. Specifically, to defend against credential stuffing attacks, organizations must get visibility into password reuse in their organization, especially for critical accounts and must require multifactor authentication (MFA) to any account or application with access to sensitive data.”
