This is a very serious leak as VPN (Virtual Private Network) username and passwords could undoubtedly allow the bad actors to access a network to perform all manner of activities including stealing date (data exfiltration), install hidden malware or perform ransomware attacks to extort money.
Although the exploit relates to an already patched loop-whole, you should assume that many of the listed credentials are valid and take action. These actions should include:
- Disabling all SSL VPN accounts for now and until you carry the follow other mitigation actionos
- You will need to ensure that your appliances are up to date by upgrading to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. More details are here.
- Performing a forced reset of all your SSL VPN users passwords to be safe
- Check your logs for possible intrusions. It is also not a bad idea to activate a dedicated threat hunting exercise or playbooks to dig a bit starting with remote access activities -your EDR/XDR tools should help you greatly.
- Verify whether you device(s) are part of the leak, security researcher Cypher has created a list of the leaked device’s IP addressees.
- It is time to really heed the need for Multi-Factor Authentication!
There are few reasons as to why you would delay patching a critical system as a VPN system for two years but there is little excuse and speaks volume of a lack of due diligence on the part of the system Administrator and Security in particular. Multiple cybersecurity agencies gave a heads up that Fortinet devices are a magnet if not their go-to entry points for ransomware actors and cyber-espionage groups alike.
