Rewterz Threat Advisory – CVE-2021-34870 – NETGEAR XR1000 Security Vulnerability
September 10, 2021Rewterz Threat Advisory – ICS: Delta Industrial Automation DOPSoft TBK File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
September 10, 2021Rewterz Threat Advisory – CVE-2021-34870 – NETGEAR XR1000 Security Vulnerability
September 10, 2021Rewterz Threat Advisory – ICS: Delta Industrial Automation DOPSoft TBK File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
September 10, 2021Severity
High
Analysis Summary
A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation. After disputes occurred between members of the Babuk gang, Orange split off to start RAMP and is now believed to be a representative of the new Groove ransomware operation. Yesterday, the threat actor created a post on the RAMP forum with a link to a file that allegedly contains thousands of Fortinet VPN accounts.
CVE-2018-13379
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. Fortinet is aware that a malicious actor has disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that were unpatched against at the time of the actor’s scan, but may since have been patched but the passwords not reset.
The list of the victims is also available for anyone to check.
Impact
- Data Exfiltation
- Malware Install
- Unauthorized Acces
- Information Disclosure
Affected Vendors
Fortinet
Affected Products
- FortiOS 6.0 – 6.0.0 to 6.0.4
- FortiOS 5.6 – 5.6.3 to 5.6.7
- FortiOS 5.4 – 5.4.6 to 5.4.12
Remediation
- Keep your devices/ software updated to the latest patches.
- Enable multi-factor authentication where possible.
- Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Refer to CVE-2018-13379 Fortinet Advisory for the patch, upgrade, or suggested workaround information. https://www.fortiguard.com/psirt_policy