Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Credential-Stealing VPN Exploits

    Stu Sjouwerman | Nov 25, 2020

    shutterstock_735922396vpn-exploitA hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch for the flaw in May 2019, but many devices remain vulnerable. The flaw (CVE-2018-13379) can allow an unauthenticated attacker to download system files, including passwords, from vulnerable Fortinet VPNS. In fact, the hacker in this case claims to have already obtained the login credentials for the vulnerable devices on the list. BleepingComputer says this access will most likely be exploited by ransomware operators to gain access to networks.

    BleepingComputer adds that a number of well-known public and private sector organizations are on the hacker’s list.

    “After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies,” BleepingComputer says. “As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”

    The hacker’s post was discovered by a threat intelligence analyst known on Twitter as “Bank_Security,” who told BleepingComputer that thousands of companies around the world were on the list.

    “This is an old, well known and easily exploited vulnerability,” Bank_Security said. “Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity.”

    In cases where patching these devices isn’t possible or can’t be accomplished quickly, implementing multi-factor authentication can at least mitigate this vulnerability. (And multifactor authentication should be enabled wherever possible, even after the flaw has been patched.) New-school security awareness training can create a culture of security within your organization, enabling your employees to keep up with the latest security threats.

    BleepingComputer has the story.

    Topics: Ransomware MFA

    12 Ways to Defeat Multi-Factor Authentication On-Demand Webinar

    Webinars19Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, explores 12 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.

    Watch the Webinar

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All