A threat actor recently published 500,000 user credentials for over 80,000 Fortinet FortiGate SSL VPN devices. Here's what you need to know.
On September 8, 2021, Fortinet issued an advisory to customers regarding a threat actor who had leaked credentials for 500,000 Fortinet VPN users. It is believed that in 2020 the threat actor leveraged an old Fortinet vulnerability, CVE-2018-13379, to obtain credentials from unpatched Fortinet devices. Fortinet is encouraging all organizations to perform a password reset following any upgrade as it is a critical step in mitigation.
Quick facts: what you need to know now
- The threat actor obtained credentials from unpatched Fortinet devices.
- This is not a new vulnerability, it is related to an old vulnerability that was resolved in May 2019.
- Threat actors can use the compromised credentials to authenticate to an environment through the VPN if passwords have not been reset.
Next Steps for All Fortinet Customers:
Corvus encourages your organization to take the following steps to mitigate against potential attack:
- Ensure that Fortinet appliances are fully patched.
- Change VPN credentials if they have not been changed in the last three months. In addition, take the following precautions:
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Instruct users to change password for other accounts that may have used the same password.
- Review authentication logs to search for any unusual login activity.
- If you find any suspicious activity, immediately disable remote access on the device and notify Corvus of a potential claim via firstname.lastname@example.org (Cyber policyholders) or email@example.com (Tech E&O policyholders). We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.
If you have any questions, please reach to the Risk + Response Team at firstname.lastname@example.org!