Rewterz Threat Alert – Mass Scanning Detected Targeting Fortinet VPN servers

Severity

High

Analysis Summary

Mass scanning activity detected from the following hosts targeting Fortinet VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2018-13379) leading to disclosure of usernames and passwords in plaintext.

CVE-2018-13379

Fortinet FortiOS could allow a remote attacker to traverse directories on the system, caused by a flaw in the VPN web portal. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to download arbitrary files on the system.

Impact

• Information disclosure
• Exposure of sensitive data

Affected Vendors

Fortinet

Affected Products

• Fortinet FortiOS 6.0.0
• Fortinet FortiOS 5.6.3
• Fortinet FortiOS 6.0.4
• Fortinet FortiOS 5.6.7

Indicators of Compromise

IP

• 85[.]114[.]101[.]173
• 45[.]155[.]204[.]227
• 45[.]227[.]253[.]141
• 193[.]27[.]228[.]77
• 5[.]188[.]86[.]100
• 45[.]9[.]20[.]207
• 45[.]155[.]204[.]233
• 185[.]191[.]32[.]158
• 193[.]56[.]146[.]116
• 212[.]47[.]252[.]74
• 195[.]123[.]222[.]53
• 66[.]115[.]145[.]233
• 66[.]211[.]112[.]9

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Refer to FortiGuard Advisory FG-IR-18-384 for patch, upgrade or suggested workaround information.