MA-815.092021: MyCERT Alert - Fortinet Fortigate VPN Credentials Leaked
MyCERT is aware of a user credential leak on a hacking forum that involved approximately 500,000 Fortinet Fortigate VPN logins. The user credentials were allegedly scraped from exploitable devices last summer. The detail about this vulnerability can be found at https://www.mycert.org.my/portal/advisory?id=MA-794.112020.
The exposure of the credentials could allow an attacker to access a network to perform malicious activities such as data exfiltration, malware installation, and ransomware attacks.
3.0 Affected System and Devices
• FortiOS 6.0 - 6.0.0 to 6.0.4
• FortiOS 5.6 - 5.6.3 to 5.6.7
• FortiOS 5.4 - 5.4.6 to 5.4.12
• (other branches and versions than above are not impacted)
• ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled
MyCERT strongly urges administrators of affected Fortinet VPN to follow the guidance below.
• Ensure that the products are patched to the latest versions immediately. If administrators are unable to do so immediately, disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
• Treat all credentials as potentially compromised by performing an organization-wide password reset, and set new strong passwords immediately.
• Consider enabling two-factor authentication (2FA) to secure the VPN accounts, using external authentication services where possible.
• Check the Fortigate appliance's Audit Event log and VPN Event Log for signs of unauthorised or unusual logins, such as logins using valid credentials but from abnormal overseas IP address or logins at an unusual time of day.
• Monitor the network for any suspicious activities such as possible intrusion attempts.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT