Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs
#1
https://www.bleepingcomputer.com/news/se...inet-vpns/        Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs
By Ax Sharma
November 22, 2020 11:40 AM      A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices.

Present on the list of vulnerable targets are domains belonging to high street banks and government organizations from around the world.

Researchers find thousands of targets
The vulnerability being referred to here is CVE-2018-13379, a path traversal flaw impacting a large number of unpatched Fortinet FortiOS SSL VPN devices.

By exploiting this vulnerability, unauthenticated remote attackers can access system files via specially crafted HTTP requests.

The exploit posted by the hacker lets attackers access the sslvpn_websession files from Fortinet VPNs to steal login credentials. These stolen credentials could then be used to compromise a network and deploy ransomware.

Although the 2018 bug was publicly disclosed over a year ago, researchers have spotted around 50,000 targets that can still be targeted by attackers.

This week, threat intelligence analyst Bank_Security found a hacker forum thread where a threat actor shared a large 49,577 device list of such exploitable targets    After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies.

Banks, finance, and govt organizations vulnerable
As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.

Gov domains and leading bank websites remain vulnerable to CVE-2018-13379
Govt domains and leading bank websites remain vulnerable to CVE-2018-13379
Source: BleepingComputer
Bank Security told BleepingComputer after he saw the forum post, he started analyzing the list of IPs to identify what all organizations were impacted.

"To better find out which companies were impacted, I launched an nslookup on all the IPs on the list and for many of them, I found the associated domain."

The analyst then refined the obtained results to identify domain names associated with organizations of interest and notable banks.

The analyst further told BleepingComputer, although this is an old bug that is trivial to exploit, organizations have "a very slow" patching process, enabling attackers to continue exploiting well-known bugs:

"This is an old, well known and easily exploited vulnerability. Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity."

As reported by BleepingComputer last month, the same flaw was leveraged by attackers to break into US government elections support systems.

Network administrators and security professionals are therefore encouraged to patch this severe vulnerability immediately.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Philips healthcare infomatics solution vulnerable to SQL injection mrtrout 0 494 11-08-2021 , 02:20 AM
Last Post: mrtrout
  Hackers leak passwords for 500,000 Fortinet VPN accounts mrtrout 0 607 09-08-2021 , 11:11 PM
Last Post: mrtrout
  Active Exploits Hit WordPress Sites Vulnerable to Thrive Themes Flaws Bjyda 0 864 03-28-2021 , 12:06 PM
Last Post: Bjyda
  Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits tarekma7 0 1,028 03-12-2021 , 04:13 PM
Last Post: tarekma7
  Attackers scan for vulnerable VMware servers after PoC exploit release Bjyda 0 906 02-25-2021 , 11:54 PM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)