Cybersecurity experts are warning hackers are targeting nearly 50,000 vulnerable unpatched Fortinet VPNs to steal passwords.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed they are “aware of the possible exposure of passwords on Fortinet devices.”
Bleeping Computer wrote in a blog post that a hacker has posted exploits used to steal credentials from Virtual Private Network (VPN) devices.
The Fortinet path traversal vulnerability CVE-2018-13379 affects FortiOS SSL VPNs and was patched in May of 2019.
Furthermore, Fortinet confirmed the issue “may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.”
“The exploit posted by the hacker lets attackers access the sslvpn_websession files from Fortinet VPNs to steal login credentials,” Bleeping Computer wrote.
As a result, actors could use the stolen credentials to compromise a network and also deploy ransomware.
Security expert ‘Bank_Security’ tweeted out information from a threat actor who shared a list of exploitable 49,577 devices.
“After a nslookup on all IPs, I found that among the victims there are some Banks, many .gov domains and thousands of companies around the world,” Bank_Security tweeted.
Readers may also remember hackers have been actively exploiting vulnerable PulseSecure and Fortinet VPN devices since last year.
To make matters worse, advanced persistent threat actors (APTs) were spotted last month exploiting CVE-2018-13379 and other legacy internet-facing vulnerabilities in combination with Zerologon vulnerability CVE-2020-1472 to target government networks, critical infrastructure, and elections organizations.
The latest threat further emphasizes the importance of timely patches of network devices, especially those connected to the internet.