In early September, a threat actor leaked nearly 500,000 Fortinet VPN login names and passwords that were allegedly scraped from vulnerable devices last summer. The leaked credentials could allow hackers to access an exposed network to perform data exfiltration, install malware, and perform ransomware attacks. BitSight was able to verify that 98% of the IP addresses in the leaked files were, in fact, running Fortinet VPN servers within the past 12 months.
Fortinet has released a statement about the leak. In a post on their blog, the company said that credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the threat actor’s scan. They noted that while the vulnerability has since been patched, users must update passwords or risk being compromised.
The company offered the following recommendations to address risk associated with the leak:
- Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
- Immediately upgrade affected devices to the latest available release, as detailed below.
- Treat all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain.
BitSight Research Shows Increased Ransomware Risk Associated With CVE-2018-13379 Vulnerability
Recently, the BitSight data science team tested all the vulnerabilities confirmed in the BitSight rating for correlation with ransomware incidents. BitSight has monitored CVE-2018-13379 since 2019, and at the time of writing still is detecting a few thousand vulnerable systems online.
Using a statistical analysis, we found that the presence of the CVE-2018-13379 vulnerability makes an organization nearly twice as likely to suffer a ransomware attack. Additionally, we found that organizations with poor patching cadence performance are up to 7x more likely to be hit with ransomware.
Cyber attacks rarely employ novel, never-before-seen techniques, like zero day attacks. In fact, it is far more common for attackers to acquire information available on the dark web to exploit vulnerabilities. The Fortinet leak is a perfect example of this.
BitSight's inventory of externally visible vulnerabilities enables organizations to make informed decisions that improve security posture and reduce risk. Click here to learn more about how BitSight Security Ratings are calculated.