A threat actor has published internet access credentials for 87,000 Fortinet VPN devices that were allegedly compromised using a two-year-old vulnerability.
Last week, around 500,000 FortiGate SSL-VPN device credentials were exposed online, giving anyone access to devices at enterprises in 74 countries throughout the world.
It is estimated that 22,500 entities are affected, with roughly 3,000 of them in the United States. Others can be found in France, India, Italy, Israel, and Taiwan, among other places.
According to Fortinet, the credentials were stolen from devices that were still vulnerable to CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web interface that has been exploited in real-world assaults.
Unauthenticated attackers could exploit the security flaw by sending specially crafted HTTP queries to the SSL VPN web interface and downloading system files. The FortiOS system files include the login credentials.
Fortinet also warned that if the compromised password isn’t updated after the patch is fully applied, devices that received the CVE-2018-13379 patch may remain vulnerable.
“Fortinet is reaffirming that, even if you have upgraded your devices, you must execute the suggested user password reset upon upgrading, as per the customer support bulletin and other advisory information, if your organisation was operating any of the affected versions listed below at any point. Otherwise, if your users’ credentials were previously compromised, you may remain susceptible after the upgrade,” the business warned.
According to threat hunters tracking ransomware campaigns, the compromised credentials were uploaded online by a member of the Groove ransomware operation.
Owners of FortiGate SSL-VPN devices should upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, and reset their devices’ passwords afterward.
