As previously reported, a hacker published online a list of one-line exploits that could be used to steal VPN credentials Fortinet VPN devices. The list contained 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379, including domains belonging to large enterprises, financial institutions, and government organizations fr om all over the world. Now, a hacker has shared the credentials for nearly 50,000 vulnerable Fortinet VPN devices.
CVE-2018-13379 is a path traversal issue in FortiOS SSL VPN web portal, which allows a remote attacker to conduct directory traversal attack and download arbitrary files from FortiOS SSL VPN web portal, upload malicious files on unpatched systems, and take over Fortinet VPN servers.
The leak was discovered by threat intelligence analyst Bank_Security who unearthed a thread on a hacker forum wh ere someone who goes online by the moniker “arendee2018” posted a data dump containing "sslvpn_websession" files for every IP present on the list.
As per Bleeping Computer, the published dump is merely a 36 MB RAR archive, but when decompressed, expands over 7 GB. The files contain usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs. The credentials are already spreading on various forums and chats, the researchers warn.
The analysis of the files revealed lists in the archive marked pak separating out Pakistan-based VPN IPs and corresponding "sslvpn_websession" files from the data set.
While the CVE-2018-13379 vulnerability was patched by vendor more than a year ago, many organizations are still remain vulnerable to this threat, opening the door to various APT groups. Last month, the FBI and CISA issued a joint alert warning of cyber attacks in which sophisticated hackers are combining VPN and Windows vulnerabilities.