A threat intel analyst reported having seen a hacker listing out one-line exploits for over 49,000 Fortinet FortiOS SSL VPN devices. And when decoded from the IP addresses mentioned, dozens of them are linked to popular banks, government organizations, and several companies. Exploiting Fortinet VPNs can leak their network login credentials.
Thousands of Vulnerable Fortinet Devices in Wild
A threat intelligence analyst named Bank_Security on Twitter has posted screenshots of a post where a hacker in a dark web forum has listed exploits for hijacking 49,577 vulnerable Fortinet FortiOS SSL VPN devices. With all the devices listed with their IP addresses, tracking them back showed intriguing results.
After a nslookup on all IPs, I found that among the victims there are some Banks, many .gov domains and thousands of companies around the world. https://t.co/F4o9xzjGJ4
— Bank Security (@Bank_Security) November 20, 2020
From a nslookup made by the analyst, it’s known that nearly 50,000 devices of these Fortinet VPN devices are vulnerable to hacks. Many of them belonging to the popular bank, government agencies, and some private companies.
Though found two years back and publicly disclosed last year, companies using it are slow enough to upgrade to the patched versions to safeguard themselves.
Exploiting this flaw lets the remote hackers access the target system files through a specially crafted HTTP request. Further, it takes them to the sslvpn_websession files via Fortinet VPNs, where the network’s login credentials are stored.
Stealing them gives the hackers the option to enter the network, spread laterally, set backdoors, and invite ransomware malware to encrypt them eventually. Ransomware operators have even grown with new methods like the double-extortion techniques to force victims to pay the ransom.
Thus, network administrators of companies using these vulnerable FortiNet VPNs are advised to update them to the latest patched versions.