Fortinet confirmed that thousands of Fortinet VPN accounts’ credentials are posted online. The credentials were posted by former Babuk gang members for free. The file includes VPN credentials for 498,908 users over 12,856 devices.
Vulnerability from 2019
Fortinet confirmed the attack and stated that passwords that were not reset after the patch are vulnerable. The company also stated that the incident is related to an old vulnerability resolved in May 2019. The company also urged users to upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above then reset their passwords. Fortinet recommends immediately taking the following steps:
- Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
- Immediately upgrade affected devices to the latest available release.
- Treat all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.
Fortinet announced that the credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 during the attack. When these vulnerabilities are discovered, the company issued multiple blog posts detailing this issue, encouraging customers to upgrade affected devices.