FortiGate VPN exposure still bites this Halloween!
At the beginning of October 2019, both the NSA and NCSC posted advisories alerting to the use of a vulnerability within FortiGate SSL-VPN that was actively in use by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments. The vulnerability enables a malicious actor to trivially download plain text user name and password combinations for active VPN users.
Before the advisories from the NSA and NCSC were posted, around 26,000 FortiGate VPN devices were found to be vulnerable, exposing 60,000+ credentials.
Fast forward to the end of the month and globally there are still more than 19,000 devices running the vulnerable software. Within the US, this relates to over 4,500 devices. While the UK still has 534 exposed devices.
Organisations still at risk cover a broad range of sectors, include those from the financial sector, government, medical, motor industry, aviation and mining / exploration to name but a few.
The continued exposure highlights a significant issue with a lack of awareness within those organisations as to the state of their Internet facing devices and shows a lack of formal vulnerability management in place.
Poor Password Choice
Analysis of the credentials found that the most common password in use was still based upon the word ‘password’, accounting for 10% of all passwords, with ‘summer’ the next most commonly used, which shows that we still have a long way to go with educating users to use robust passwords, which certainly adds to the business case to adopt multi factor authentication, but that is for another day.