VPN (Virtual Private Network) service, Fortinet has suffered from a data leak. An estimated 50,000 VPNs have been exposed.
In the world of VPN services, security is everything. After all, that is a big reason why so many users use VPN services in the first place. They don’t want to be tracked. They don’t want their information exposed. In the process, they don’t want to run into a censored Internet. That is why so many of these services sell their security credentials so often. Any sense of vulnerability can prove devastating for such a service.
Yet, a vulnerability is exactly what was recently found in one VPN service.
Fortinet is a VPN service provider that sells secure Internet to corporate users. The use SSL and IPSec as part of their VPN package.
Reports are surfacing saying that the VPN service has suffered from a data leak. In all, an estimated 50,000 VPNs were exposed. While some data leaks offer these numbers to suggest that their information might have been exposed, it turns out, that information is already floating around on the dark web. From CPO Magazine:
A hacker published a list of 50,000 credentials stolen from vulnerable Fortinet SSL VPNs. The data leak contained a list of one-line exploits for Fortinet’s FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 bug. The vulnerability allows an attacker to steal VPN credentials from the SSL VPN web portal. The latest breach is considered “the most complete sslvpn websession exploit” with both usernames and passwords. A hacker named “pumpedkicks” was suspected of stealing the data on November 19.
The data leak exposed details including usernames, passwords, unmasked IPs of organizations, including banks, telecoms, and government agencies. The data leak also included compromised devices’ session-related information.
Coincidentally, Bank_Security, a threat intelligence analyst, discovered another data leak containing a dump of the “sslvpn_websession” files for every IP exposed in the initial exploit.
That data leak contained usernames, passwords, access levels, for example, “full-access,” alongside the original unmasked IP addresses of users connected to the compromised VPN servers.
The subsequent data leak widely shared on hacking forums and chats originated from a threat actor named “arendee2018.” It had 7 GB of decompressed data, which was stored in a 36 MB RAR archive. Additionally, it had a separate list marked “Pak” exclusively containing VPN credentials for the leaked Pakistan IP addresses.
If this isn’t a worst case scenario for a VPN provider, this is pretty far up the list. So, we checked out the Twitter account and Facebook page for Fortinet and didn’t find any response to this story. If they are talking about this, we aren’t seeing it.
The only thing that we can see in this is that the current version of FortiOS is version 6.4. As a result, this does affect older versions of the software. If you’ve been able to keep reasonable up to date, this issue won’t affect you. As a result, it’s much easier for Fortinet to say, “This issue only affects older versions. If you’ve stayed up to date, this won’t affect you.”
The latest version that is affected, 6.0.4, dates back to January 10 of last year. So, you need to have updated sometime since then to avoid the security issue.
At any rate, there is a bit of a PR mess that the company has to deal with. It will take time, but the fact that this affects older versions of the client will help them in the long run.
Drew Wilson on Twitter: @icecube85 and Facebook.