In late 2020 a hacker posted exploits for almost 50 000 vulnerable Fortinet VPN’s. iTOO’s incident triage and digital forensic partner Cyanre obtained access to the IP addresses of the vulnerable VPN devices and have confirmed that a large number of these belong to South African organisations.
The vulnerability initially identified in 2018 and referred to as CVE-2018-13379 exploits a path traversal flaw on unpatched Fortinet FortiOS SSL VPN devices. Exploiting this vulnerability allows unauthorised remote attackers to access system files via specially crafted HTTP requests. Put simply exploiting this weakness allow hackers to steal login credentials which could then be used to compromise the network. This access could then be used to steal data and/or deploy ransomware.
Danny Myburgh, Managing Director at Cyanre Digital Forensic labs, confirmed that they have responded to a number of incidents over the past couple month where this weakness was exploited and that having gained access to the list of vulnerable IP addresses confirmed that a number of South African companies are at risk.
Fortigate have recently released security updates to resolve a few critical vulnerabilities in SSL VPN and their web firewall.
“As the workplace revolution with increased work from home persists, hackers are actively targeting functionality like remote access via VPN. We have also seen a developing trend in cyber extortion attacks where hackers are looking to exploit vulnerabilities to gain unauthorised access to an environment and then steal data before deploying their ransomware,” says iTOO Cyber Insurance Product Head, Ryan van de Coolwiijk. “Increasingly, we are also seeing the ransomware impact both production and backup environments, having a disconnected backup copy is becoming vital. It is also important to ensure that you seek expert incident response services and guidance to ensure that you manage the data compromise and look after those who may be impacted. The bulk of these services are provided as part of a cyber insurance policy.”
We urge brokers to notify their clients and clients to check and ensure that the patch management processes are robust and critical patches such as those being released by Fortigate are applied as soon as they can be.
Patching remains critical, perhaps now more than ever before.
