Network security solutions provider Fortinet also confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.
"These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,
On Wednesday 15 Spetmber 2021, the company confirmed that the attackers exploited FG-IR-18-384 / CVE-2018-13379: a path traversal weakness in Fortinet’s FortiOS that was discovered in 2018 and which has been repeatedly, persistently exploited since then.
How to Protect Your VPN
You can check Fortinet’s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version “at any time”:
Remediation:
Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
1. Immediately upgrade affected devices to the latest available release, as detailed below.
a) Treat all credentials as potentially compromised by performing an organization-wide password reset.
b) Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
c) Notify users to explain the reason for the password reset and monitor services
d) There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks. Always change your passwords
