Compromised Credentials of Fortinet VPN Devices
Original Issue Date: September 16, 2021
It has been observed that malicious threat actors targeting unpatched Fortinet VPN devices and leveraging stolen credentials. The exploitation targets a known vulnerability (CVE-2018-13379) that has been patched in newer versions of firmware. Organizations that are using vulnerable Fortinet appliances must update or disconnect their devices immediately, and reset all passwords and/or enable Multi-Factor Authentication (MFA).
- Immediately upgrade affected devices to the latest available release. The patched versions are FortiOS 5.4.13, 5.6.14, 6.0.13, or 6.2.9 and above.
- Consider all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Reset all users¿ password for user¿s accounts. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.
- Examine the logs to analyze any suspicious activity. If anything looks suspicious you should immediately perform a thorough investigation to identify the vulnerable activity.
- Remove any unauthorized VPN related settings and rules configured by the attackers.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003