Data leak with 87,000 FortiGate SSL VPN credentials used for attacks

Sicherheit (Pexels, allgemeine Nutzung)[German]Another short information for administrators of FortiGate installations, which has been dangling with me for a few days. Unknown persons have created a collection of 87,000 FortiGate SSL-VPN credentials, which they are now using specifically to attack corresponding installations. CERT-Bund has just issued a warning to this effect, administrators need to act.


CERT warning

German CERT warning on Twitter is very clear: Organizations using FortiGate SSL VPN access and at any time using one of the listed affected versions (below FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8) must also update user passwords after upgrading.

CERT-Bund warning about FortiGate data leak with access data

The background is that it can be assumed that credentials were stripped in clear text from systems, before vulnerabilities were closed. This allows attackers to use the old credentials to access SSL VPN accesses of patched FortiGate products.

FortiGate security alert

ortiGate has issued the security alert Malicious Actor Discloses FortiGate SSL-VPN Credentials as of September 8, 2021. It has come to Fortinet's attention that a malicious actor recently exposed SSL VPN credentials to 87,000 FortiGate SSL VPN devices. I had seen information from colleagues at Bleeping Computer that data on 500,000 VPN accesses had been published. The data was published by a person with the alias Orange. This person is an administrator of the newly established RAMP hacking forum and used to be the operator behind the Babuk ransomware operations.

These credentials are related to a vulnerability (CVE-2018-13379) that was fixed by an update in May 2019. It appears cyber criminals may have scanned unpatched FortiGate SSL VPN access points at that time, pulling their credentials in clear text. Fortinet writes in response that the credentials were pulled from systems that were not yet patched against FG-IR-18-384 / CVE-2018-13379 at the time of the perpetrator's scan.


The problem: Even if the systems were patched, they are still vulnerable unless the passwords for the SSL VPN accesses have been reset. This is exactly the approach used in the current wave of attacks to scan the Internet for FortiGate SSL VPN accesses and then try the collection of credentials in an attack. In doing so, the instances can be targeted via their IPs, which are probably also in the data collection. Looking at this graphic, many countries with affected FortiGate instances are shown. The FortiGate security warning Malicious Actor Discloses FortiGate SSL-VPN Credentials contains specific instructions on how to proceed.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *