Background /What has happened?
A malicious cyber actor has released a list of FortiNet virtual private network (VPN) devices and user credentials which the actor claims are valid and would allow a remote cyber actor access to the network located behind the VPN device.
It is reported that the credentials were stolen utilising a vulnerability in FortiOS (CVE-2018-13379)
Mitigation / How do I stay secure?
Organisations who have an internet accessible FortiNet SSL VPN device should ensure the device patches are up to date.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) recommends organisations review their patching history to identify possible periods of exposure to CVE-2018-13379 and other relevant FortiNet vulnerabilities, including CVE-2020-12812 and CVE-2019-5591. Organisations should also review the linked FortiNet security advisories for the list of specific FortiNet products affected by these vulnerabilities as well as vendor recommended mitigations, if devices are still vulnerable.
It is unknown exactly when the suspected exploitation activity occurred for each identified FortiNet device in the list. Organisations should consider conducting a password reset for users of FortiNet SSL VPN devices, particularly if patch history identifies extended periods of vulnerability. Organisations should also consider reviewing authentication logs and user activity for signs of suspicious activity related to malicious use of the leaked credentials.
Assistance / Where can I go for help?
The ASD’s ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD’s ACSC via 1300 CYBER1 (1300 292 371).