VPN account passwords from 87,000 Fortinet Fortigate devices leaked
A malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices, network security solutions provider Fortinet confirmed. The company statement reportedly said, "These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable." Advanced Intel noted that the "breach list contains raw access to top companies" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel" and that "2,959 out of the 22,500 victims are US entities" after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called RAMP which launched in July 2021 and on Groove ransomware's data leak site.
A path traversal vulnerability in the FortiOS SSL VPN web portal, CVE-2018-13379, allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.
Despite rectifying the bug in May 2019, the security weakness has been repeatedly exploited by multiple adversaries to deploy an array of malicious payloads on unpatched devices, prompting Fortinet to issue a series of advisories in August 2019, July 2020, April 2021, and again in June 2021, urging customers to upgrade affected appliances.
In 2020, CVE-2018-13379 also emerged as one of the topmost exploited flaws, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.