Yusuf On SecuritySecurity news, opinion and advice

Malicious Actor Discloses FortiGate SSL-VPN Credentials

This is a very serious leak as VPN (Virtual Private Network) username and passwords could undoubtedly allow the bad actors to access a network to perform all manner of activities including stealing date (data exfiltration), install hidden malware or perform ransomware attacks to extort money.

Although the exploit relates to an already patched loop-whole,  you should assume that many of the listed credentials are valid and take action. These actions should include:

  • Disabling all SSL VPN accounts for now and until you carry the follow other mitigation actionos
  • You will need to ensure that your appliances are up to date by upgrading to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. More details are here.
  • Performing a forced reset of all your SSL VPN users passwords to be safe
  • Check your logs for possible intrusions. It is also not a bad idea to activate a dedicated threat hunting exercise or playbooks to dig a bit starting with remote access activities -your EDR/XDR tools should help you greatly.
  • Verify whether you device(s) are part of the leak, security researcher Cypher has created a list of the leaked device’s IP addressees.
  • It is time to really heed the need for Multi-Factor Authentication!

There are few reasons as to why you would delay patching a critical system as a VPN system for two years but there is little excuse and speaks volume of a lack of due diligence on the part of the system Administrator and Security in particular. Multiple cybersecurity agencies gave a heads up that Fortinet devices are a magnet if not their go-to entry points for ransomware actors and cyber-espionage groups alike.

Author
Yusuf
Join the discussion

Further reading

What will it take?

A great piece on what it will take to improve the safety of the connected world. Read it here.

Extended detection and response (XDR)

Extended detection and response (XDR) captures threat data from previously isolated security tools throughout the organizations tech stack to enable...

Log4j Vulnerabilities

Towards the end of November, a researcher from Alibaba discovered a fault (CVE-2021-44228) in a well known open-source logging library called...

Recent podcasts