Yesterday, it was announced that Fortinet discovered a breach, resulting in the disclosure of almost 500,000 FortiGate SSL-VPN credentials from 87,000 FortiGate SSL-VPN Devices. The attack vector was identified as a system unpatched against CVE-2018-13379.
The threat actor is thought to be ‘Orange’, the administrator for the newly launched RAMP hacking forum, alleged representative of the new Groove ransomware operation and a previous operator for the Babuk Ransomware operation. The leak appears to be intended to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation in an attempt to recruit possible ransomware operators.
The full list of compromised Fortigate SSL-VPN devices, extracted from the RAMP hacking form can be found here.
The credential leak was achieved by exploiting a path traversal vulnerability in the FortiOS SSL VPN, CVE-2018-13379/FG-IR-18-384. This exploit allows an unauthenticated attacker to download FortiOS system files through a specifically crafted HTTP resource request. A patch was released for this vulnerability in November 2019, however, if the account passwords have not been reset, the disclosed accounts remain vulnerable.
It is unclear when the credentials were obtained, it is only known that they were obtained when a system was scanned and exploited prior to receiving the required patch in defence of CVE-2018-13379. Although your system may be patched to this vulnerability, if it was not immediately patched at the time of the original publication, it is possible ForitGate SSL-VPN credentials were extracted.
- Upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above.
- Treat all credentials as potentially compromised and perform an organisation-wide password reset.
- Implement Multi-Factor Authentication
- FortiOS 6.0 - 6.0.0 to 6.0.4
- FortiOS 5.6 - 5.6.3 to 5.6.7
- FortiOS 5.4 - 5.4.6 to 5.4.12
- (other branches and versions than above are not impacted)
- ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.