A hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch for the flaw in May 2019, but many devices remain vulnerable. The flaw (CVE-2018-13379) can allow an unauthenticated attacker to download system files, including passwords, from vulnerable Fortinet VPNS. In fact, the hacker in this case claims to have already obtained the login credentials for the vulnerable devices on the list. BleepingComputer says this access will most likely be exploited by ransomware operators to gain access to networks.
BleepingComputer adds that a number of well-known public and private sector organizations are on the hacker’s list.
“After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies,” BleepingComputer says. “As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”
The hacker’s post was discovered by a threat intelligence analyst known on Twitter as “Bank_Security,” who told BleepingComputer that thousands of companies around the world were on the list.
“This is an old, well known and easily exploited vulnerability,” Bank_Security said. “Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity.”
In cases where patching these devices isn’t possible or can’t be accomplished quickly, implementing multi-factor authentication can at least mitigate this vulnerability. (And multifactor authentication should be enabled wherever possible, even after the flaw has been patched.) New-school security awareness training can create a culture of security within your organization, enabling your employees to keep up with the latest security threats.
BleepingComputer has the story.