In 2019, FortiGate firewalls had a zero-day vulnerability that was exploited globally, allowing attackers to harvest user VPN credentials, usernames and passwords, remotely. This vulnerability has been addressed and patched by Fortinet in 2019, however, recently, a database of more than 87,000 FortiGate SSL VPN credentials harvested in 2019 has been leaked to the Internet. Researchers have noted that while some of the credentials will no longer work, there are some that still do.
The vulnerability associated with the attack from 2019 has been patched and closed, however the risk of compromise still exists if user accounts have not had their passwords reset since 2019. Dataprise recommends forcing a reset of any user password that has not been changed in the last 365 days and enforcing Multifactor Authentication (MFA) to prevent exploitation of a compromised account.
Of the 87,000 exploited FortiGate devices belonging to a total of 22,500 companies, 2,959 of the organizations exploited are US-based companies.
Credentials harvested during this attack could still be used to log into a FortiGate VPN if the credentials have not been changed since the 2019 vulnerability was patched.
INDICATORS OF VULNERABILITY
FortiWeb 6.3.0 through 6.3.7 and versions earlier than 6.2.4.
If you have not patched your FortiOS to the above versions, or higher, you should completely disable the web-management interface until patching has been completed and verified. At a minimum, narrow down the exposure of the web interface to specific IP addresses and/or internal networks only.
While impractical, at this point Fortinet recommends users to disable all VPNs until the remediation steps below are completed:
- Disable all VPNs (SSL-VPN or IPSEC)
- Immediately upgrade Upgrade to 5.4.13, 6.0.11, or 6.2.8 and above.
- Treat all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.
- Stephen Jones, Senior Director Cybersecurity
- Sam Bourgeois, vCISO
- Maximo Bredfeldt, vCISO