The big leak of VPN Account Passwords From 87,000 Fortinet FortiGate Devices

Nov 1, 2021 | Cyberаttacks To Remember | 0 comments

Back in September, one major breach took place – the user names and passwords of around 87 000 users from around the world leaked due to a hacker attack. All of them were 87,000 FortiGate SSL-VPN devices, according to an article on The Hacker News that covered the incident. 

The user credentials were for people and entities from all over the world, with the leading number of accounts from the USA. Among other countries are France, Italy, India, and Taiwan. 

The leak itself came after attackers exploited an unpatched “CVE-2018-13379 at the time of the actor’s scan.”, the company stated. According to Fortinet, “this incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers.”. Despite encouraging the customers to upgrade the affected devices, a lot of them didn’t. The company provided instructions on how people and companies with affected devices can protect themselves and directed them to recommended upgrades. 

Who is Fortinet and what are FortiGate devices?

Fortinet is one of the biggest network security providers. It was founded back in 2000 in California and provides security services for large enterprises, service providers, and even government organisations. According to their website, “Fortinet ranks number one in the most security appliances shipped worldwide and more than 500,000 customers trust Fortinet to protect their businesses.”. 

FortiGate is one of the products of the company, presented as a “next-generation firewall”. The devices come in different series, according to the needs of the business clients and how big they are. The function of this firewall is like a filter – scanning all the data that comes in and letting only the safe and good information reach the business that uses it. In the presentation from Fortinet’s platinum partner, it is mentioned that the firewall can protect from various cyber threats from malware, through blended network attacks and up to Intrusions. 

Fortinet also offers VPN through FortiGate to its clients with FortiClient. In multiple reviews, it is stated to be one of the most secure solutions. 

How did the leak happen and how big is it?

As we mentioned before in the article, the leak was a result of an unpatched vulnerability that the devices had. And although an updated version was available, a lot of the clients didn’t bother to upgrade to a safe version that would fix this problem. It is interesting to note that this bug was fixed in May 2019 and yet The Hackers News wrote that: “CVE-2018-13379 also emerged as one of the topmost exploited flaws in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.”.

The leaked 87 000 login credentials look like the cherry on top. The leak was first noted after a post was made on the dark web. It was on a private cybercrime forum and contained a free copy of a small portion of the list with VPN log information. The online media “The Record” mentioned in an article about the breach that “sources familiar with the existence of this collection told The Record the list had been compiled more than a year ago and had been sold in private circles to different threat actors, including groups who carried out ransomware attacks.”.

The affected accounts are from 74 different countries around the world. 

Prevention measures and lessons learned

There are a few things here worth mentioning – the company claims that it warned the clients multiple times to upgrade to a new version after the flaw from May 2019 was fixed: “This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021.”.

On the other hand, this issue remained one of the most exploited (as you have seen above). That suggests that a lot of the clients of Fortinet may not have followed the instructions to upgrade their devices and that left them vulnerable. We are yet to see how this will affect the market and if there are going to be further similar cases down the road. 

Cybersecurity – a top priority for any organisation

Such cases show that cybersecurity measures and policies should be adopted and updated regularly in any organisation – public or private entity. Nowadays, cyber-attacks are getting more frequent and more vicious. However, a little prevention can go a long way. You can protect your business with measures such as penetration testing, vulnerability assessment, and staff awareness training. In 3Cyber-Sec, you will find a trusted partner with a lot of experience and flexibility, that will help you build up your cybersecurity defenses with tailor-made solutions to your needs.

Get Instant Access to Cybersecurity News & Advice