- Joined
- May 15, 2016
- Messages
- 3,746
- Likes
- 2,573
- Points
- 1,730
All devices are affected by the Known and Fixed Fortinet FortiOS SSL VPN Directory Bypass Vulnerability (CVE-2018-13379).
Security analyst Bank_Security stumbled upon a discussion thread on one of the hacker forums in which someone under the pseudonym pumpedkicks published a list of IP addresses of 49,577 organizations with vulnerable Fortinet VPN devices. According to the hacker, he also has unencrypted credentials associated with these IP addresses. Among others, the list of potential targets includes domains owned by major banks and government organizations around the world.
All devices are affected by the Fortinet FortiOS SSL VPN Directory Bypass Vulnerability known and already patched by the manufacturer (CVE-2018-13379). With its help, an unauthorized remote attacker can gain access to system files by sending a specially configured HTTP request. An exploit published on a hacker forum allows you to access the sslvpn_websession files in the Fortinet FortiOS VPN and steal credentials, which can then be used to compromise the corporate network and, for example, deploy ransomware on it.
Of the nearly 50,000 vulnerable devices, about fifty belong to reputable financial institutions and government agencies.
“To better understand which companies were affected, I ran nslookup for all the IP addresses in the list, and for many of them I found a linked domain,” Bank_Security told BleepingComputer.
The analyst then refined the results and identified domain names associated with the organizations of interest and well-known banks. Although the vulnerability has long been known and easy to exploit, the process of deploying updates to organizations is very slow, so hackers continue to use the known vulnerabilities in their attacks.
“This is an old, well-known and easily exploited vulnerability. Attackers have been exploiting it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of Internet access, and therefore attackers can exploit vulnerabilities to relatively easily compromise companies in any industry, ”the analyst said.
As reported last month, the CVE-2018-13379 vulnerability was exploited by cybercriminals in attacks on the US government election support systems.
__________________
Security analyst Bank_Security stumbled upon a discussion thread on one of the hacker forums in which someone under the pseudonym pumpedkicks published a list of IP addresses of 49,577 organizations with vulnerable Fortinet VPN devices. According to the hacker, he also has unencrypted credentials associated with these IP addresses. Among others, the list of potential targets includes domains owned by major banks and government organizations around the world.
All devices are affected by the Fortinet FortiOS SSL VPN Directory Bypass Vulnerability known and already patched by the manufacturer (CVE-2018-13379). With its help, an unauthorized remote attacker can gain access to system files by sending a specially configured HTTP request. An exploit published on a hacker forum allows you to access the sslvpn_websession files in the Fortinet FortiOS VPN and steal credentials, which can then be used to compromise the corporate network and, for example, deploy ransomware on it.
Of the nearly 50,000 vulnerable devices, about fifty belong to reputable financial institutions and government agencies.
“To better understand which companies were affected, I ran nslookup for all the IP addresses in the list, and for many of them I found a linked domain,” Bank_Security told BleepingComputer.
The analyst then refined the results and identified domain names associated with the organizations of interest and well-known banks. Although the vulnerability has long been known and easy to exploit, the process of deploying updates to organizations is very slow, so hackers continue to use the known vulnerabilities in their attacks.
“This is an old, well-known and easily exploited vulnerability. Attackers have been exploiting it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of Internet access, and therefore attackers can exploit vulnerabilities to relatively easily compromise companies in any industry, ”the analyst said.
As reported last month, the CVE-2018-13379 vulnerability was exploited by cybercriminals in attacks on the US government election support systems.
__________________