Ethical hacking experts report that, in recent days, threat actors have been scanning the Internet looking for non updated SSL VPNs developed by the company Fortinet to exploit a critical vulnerability.
The main objective of the operators of this
campaign is the theft of login credentials and other confidential details. If
successful, threat actors could gain full remote access to an organization’s
networks.
A few days ago the presence of a vulnerability set
in the company’s product was revealed and although Fortinet has been working on
to mitigate the risk, malicious hackers have also advanced in their methods for
exploiting these weaknesses.
To try to determine the potential scope of
these hackers, ethical hacking experts performed an Internet scan, finding at least
480k Fortinet SSL VPN endpoints online, although it is estimated that a total
of up to 500 thousand vulnerable endpoints could exist.
In addition to the broad reach, the
cybersecurity community is concerned about the recent increase in attempts to
exploit these flaws. For example, expert Troy Mursch of security firm Bad
Packets claims that his company’s honeypots detected thousands of scans looking
for endpoints exposed to this flaw, identified as CVE-2019-11510. “This is
an arbitrary file read flaw that allows the leakage of sensitive
information,” the expert said. “In addition, it is possible to
exploit this vulnerability in conjunction with other known failures to remotely
inject commands and access a VPN,” Mursch adds.
Last weekend, the expert mentioned that, after
a thorough analysis, nearly 15k VPN servers were found exposed to this
malicious campaign. “Our analyses found a total of 14,528 endpoints
vulnerable to the exploitation of CVE-2019-11510, in addition to 2,300 unique
networks with vulnerable computers in more than 100 countries,” the
ethical hacking expert says.
Based on analysis, experts have determined that
most organizations with non updated SSL VPN endpoints are in the U.S. For
security reasons, experts did not reveal the names of vulnerable organizations,
as the vulnerability is really easy to exploit.
The company released a security alert along
with updates to fix at least ten vulnerabilities; some of these failures could
be exploited to gain remote access to a compromised device and eventually to
the entire network of the attacked organization. Fortinet report highlights the
CVE-2018-13379 vulnerability, which would allow unauthenticated hackers to
download files from the FortiOS operating system using specially designed HTTP
requests.
Finally, Fortinet asked all its users to
upgrade their firmware to FortiOS 5.4.11 or later as a risk mitigation
method.
Unfortunately this is not the first time such
vulnerabilities are found in enterprise network level systems. Experts in
ethical hacking from the International Institute of Cyber Security (IICS)
reported a vulnerability in the FortigateOS system a couple of years ago that,
if exploited, fulfilled functions similar to those of a backdoor,
which the company stated did not was in the original firmware design.
