26 November 2020

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices


Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

As previously reported, a hacker published online a list of one-line exploits that could be used to steal VPN credentials Fortinet VPN devices. The list contained 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379, including domains belonging to large enterprises, financial institutions, and government organizations fr om all over the world. Now, a hacker has shared the credentials for nearly 50,000 vulnerable Fortinet VPN devices.

CVE-2018-13379 is a path traversal issue in FortiOS SSL VPN web portal, which allows a remote attacker to conduct directory traversal attack and download arbitrary files from FortiOS SSL VPN web portal, upload malicious files on unpatched systems, and take over Fortinet VPN servers.

The leak was discovered by threat intelligence analyst Bank_Security who unearthed a thread on a hacker forum wh ere someone who goes online by the moniker “arendee2018” posted a data dump containing "sslvpn_websession" files for every IP present on the list.

As per Bleeping Computer, the published dump is merely a 36 MB RAR archive, but when decompressed, expands over 7 GB. The files contain usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs. The credentials are already spreading on various forums and chats, the researchers warn.

The analysis of the files revealed lists in the archive marked pak separating out Pakistan-based VPN IPs and corresponding "sslvpn_websession" files from the data set.

While the CVE-2018-13379 vulnerability was patched by vendor more than a year ago, many organizations are still remain vulnerable to this threat, opening the door to various APT groups. Last month, the FBI and CISA issued a joint alert warning of cyber attacks in which sophisticated hackers are combining VPN and Windows vulnerabilities.

Back to the list

Latest Posts

Vulnerability summary for the week: January 22, 2021

Vulnerability summary for the week: January 22, 2021

A weekly vulnerability digest.
22 January 2021
Windows Remote Desktop servers abused to amplify DDoS attacks

Windows Remote Desktop servers abused to amplify DDoS attacks

The Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.
22 January 2021
Hackers accidentally exposed stolen credentials via Google search

Hackers accidentally exposed stolen credentials via Google search

The stolen data was saved in a publicly visible file that was indexable by Google.
22 January 2021