Thousands of Vulnerable Fortinet Devices in Wild
A threat intelligence analyst named Bank_Security on Twitter has posted screenshots of a post where a hacker in a dark web forum has listed exploits for hijacking 49,577 vulnerable Fortinet FortiOS SSL VPN devices. With all the devices listed with their IP addresses, tracking them back showed intriguing results.
— Bank Security (@Bank_Security) November 20, 2020 From a nslookup made by the analyst, it’s known that nearly 50,000 devices of these Fortinet VPN devices are vulnerable to hacks. Many of them belonging to the popular bank, government agencies, and some private companies. The vulnerability, tracked as CVE-2018-13379, was a traversal flaw found in a wide range of Fortinet FortiOS SSL VPN devices in 2018. Though found two years back and publicly disclosed last year, companies using it are slow enough to upgrade to the patched versions to safeguard themselves. Exploiting this flaw lets the remote hackers access the target system files through a specially crafted HTTP request. Further, it takes them to the sslvpn_websession files via Fortinet VPNs, where the network’s login credentials are stored. Stealing them gives the hackers the option to enter the network, spread laterally, set backdoors, and invite ransomware malware to encrypt them eventually. Ransomware operators have even grown with new methods like the double-extortion techniques to force victims to pay the ransom. Thus, network administrators of companies using these vulnerable FortiNet VPNs are advised to update them to the latest patched versions.