CISA Warns Of Password Leak On Vulnerable Fortinet VPNs

The U.S. Cybersecurity and Infrastructure Security Agency is warning about a password leak that could affect vulnerable Fortinet VPNs, which could lead to possible further exploitation, according to a notice published Friday by the agency.

See Also: Rapid Digitization and Risk: A Roundtable Preview

The agency’s latest alert comes a few days after security researchers reported that threat actors are claiming to have published the leaked passwords on various underground forums.

While CISA stopped short of confirming the authenticity of the password leak, the agency is urging users of Fortinet gear to check with the company about patches and fixes and to review logs to check for suspicious activity.

“Fortinet has released a security advisory to highlight mitigation of this vulnerability,” according to the notification. “CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity.”

In this case, CISA notes that attackers may try to take advantage of a long-standing vulnerability in the FortiOS system files dubbed CVE 2018-13379, which could lead to further exploitation. Fortinet has been urging its users to patch for this flaw since it was first discovered by researchers in 2019.

“Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users,” according to the latest Fortinet alert. “An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.”

Leaked Passwords

Earlier this month, a security researcher who goes by the handle Bank_Security, noted on Twitter that threat actors appear to have posted clear text credentials associated with Fortinet IPs that are vulnerable to CVE-2018-13379. This bug is a pathname vulnerability that can allow hackers to download system files from the affected systems.

BREAKING: Threat Actor “arendee2018” shared the plaintext credentials related to the same Fortinet Vulnerable IPs list. https://t.co/F4o9xzjGJ4 pic.twitter.com/YYWpI1NUaC

— Bank Security (@Bank_Security) November 24, 2020

Bank_Security first tweeted about the exposed Fortinet passwords on Nov 19. In this tweet, the researcher noted that the leaked passwords belonged to 49,577 IP associated with Fortinet SSL VPNs and were being sold by a hacker named “pumpedkicks.”

Earlier this week, the researchers tweeted that another hacker by the name “arendee2018” is also sharing the clear-text passwords. Bleeping Computer, which analyzed the data posted by the hackers, reported the exposed information included Fortinet users’ names, passwords and unmasked IPs of the virtual private networks.

The main concern is that if the Fortinet VPNs are not patched against the vulnerabilities, these credentials could allow an attacker to return and regain access to the VPN and the larger network.

This is similar to a warning CISA posted in April concerning vulnerable Pulse Secure VPNs. The agency noted that users of these VPNs also need to update administrative passwords even if patches were applied, as threat actors could use stolen credentials to re-enter a network (see: CISA Warns Patched Pulse Secure VPNs Still Vulnerable).

Other Concerns

In October, CISA warned that hackers are chaining vulnerabilities, including the Fortinet VPN bug, with the Zerologon Windows Server flaw to target local networks in the U.S. At the time, CISA said the hackers were using the tactics to gain access to election support systems within government networks, although no election data compromise was detected by the agency (see: Hackers Chaining ‘Zerologon,’ Other Vulnerabilities ).

In July, Fortinet acknowledged that Russian advanced persistent group APT29 was exploiting CVE-2018-13379 to steal information and intellectual property relating to the development and testing of COVID-19 vaccines from various organizations in Canada, the U.S. and U.K.

“Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States,” according to the CISA notification issued Friday.

When the Fortinet vulnerability was first discovered In August 2019, security researchers with Chicago-based threat intelligence firm Bad Packets warned that hackers have been hunting for SSL VPNs manufactured by Fortinet to steal passwords and other sensitive data, which was then used to gain full, remote access to organizations’ networks (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).