Posted by Gaya M on May 13, 2024 at 12:21am in Blog
The cybersecurity landscape is fraught with challenges, and one such challenge emerged with the disclosure of a critical vulnerability in Fortinet devices. This vulnerability, initially disclosed to Fortinet in 2018 but officially released to the public in May 2019, posed a significant threat to organizations worldwide. In this discussion, we delve into the repercussions of this vulnerability, its exploitation by threat actors, and the subsequent impact on organizations, particularly in Israel.
.
Here is the verbatim discussion:
It was disclosed to fortinet in 2018 but it was officially released by fortinet uh publicly in may 24 2019 and if you look at his vulnerability and you look at the fortinet website it's actually very dilute deluding there's kind of a maybe a way for fortinet to downplaythis attack but if you read it carefully it says 40 os system fire leak through ssl vpn 40 os system file processor vpn via specially crafted http resource request to be honest and the impact they are saying is information disclosure i don't know basically what this vulnerability is is the ability without any previous authentication to go to the portal of the ssl vpn and you can extract the uh passwords file and its unencrypted file from remote unauthenticated so basically anyone can go to fortinet if it says it's a vpn enabled and can extract your passwords admin passwords user password everything without any problem there's exploit in the world it's actually very easy to exploit paul didn't really downgrade this attack and i think they have quite to blame in some of the devastation that it caused worldwide by downplaying this attack so basically what happened not many organizations have updated their fortinet devices i think basically from the cause of the downplay by fortinet and many organizations including israel worldwide have been vulnerable for quite some time in november 2020 some attackers in rate form have posted all the usernames and passwords with the ips of all the israeli ip range uh and said basically they called it 40 they gave it a nickname for uh this uh leak and exploitation and what we've seen is a wave after wave after wave after that by the same threat actors pay to key um the following that they changed a few names they were exploiting those leaked credentials to get a foothold in many organizations by the way we've seen the same vulnerability not just just by iranian spectactors but things like our evil a really famous ransomware we've seen it by their affiliation hello kitty and many other attackers chinese etc in the us we've seen many incidents using this attack but paid to key really really focused on israel so once we saw that we started to actively do compromise assessment in many organizations in israel and what we've seen that one out of seven already been hit by those fair actors they've already been using the credentials and they started to level movement in some of those organizations and that time we sent the public announcement and basically saying um the cyrus place of israel is not prepared and in the end of the um in the end of the tweet i've posted i said winter is coming not much longer after that around an hour or two paid to key the main twitter account have changed their name to winter is comin and they were basically quoting my tweet not sure if i'm really proud of it but we were trying to make everyone in israel aware that a big wave is coming and the organizations are not prepared we were trying to contact fortinet without much success we were trying to contact with many organizations and the set of the israelis that was also sending a lot of notifications etca week after that after the post there was a massive wave israeli uh in airspace industries uh and many others like abana labs and inter-electric and companies were also exploited and ransomed by uh they paid to keep more of a and wipers other than actual ransomware and it also got very very big on media attention because of the previous shielding similarly to sherbet in here as well the attackers were trying to amplify.
Highlights:
Revealing the Vulnerability: The vulnerability in question pertains to Fortinet's SSL VPN, allowing remote, unauthenticated attackers to extract sensitive information, including passwords, from affected devices. Despite the severity of the vulnerability, the disclosure by Fortinet downplayed its impact, leading to delayed updates by organizations relying on Fortinet devices. Consequently, threat actors seized the opportunity, exploiting the vulnerability to gain unauthorized access to organizations' networks and data.
Exploitation and Fallout: The exploitation of the vulnerability by threat actors, notably by groups like Pay2Key, resulted in widespread ramifications, particularly in Israel. Attackers leveraged the leaked credentials to infiltrate organizations, leading to ransomware attacks and data breaches. The situation escalated as organizations struggled to mitigate the threat, highlighting the need for proactive cybersecurity measures and swift response protocols.
Warning Signs and Response Efforts: As the threat escalated, cybersecurity experts sounded the alarm, warning organizations about the impending danger. However, challenges arose in contacting Fortinet and coordinating response efforts, exacerbating the situation. Despite proactive efforts to raise awareness and provide assistance, many organizations fell victim to the exploitation, underscoring the critical importance of cybersecurity readiness and collaboration among stakeholders.
The vulnerability in Fortinet devices, coupled with the exploitation by threat actors, underscored the critical importance of proactive cybersecurity measures and rapid response protocols. The incident serves as a stark reminder of the ever-present threat landscape and the need for organizations to remain vigilant and prepared to mitigate emerging risks effectively. By learning from this experience and enhancing cybersecurity practices, organizations can bolster their defenses and safeguard against future threats.
Speaker:
Omri Segev Moyal is a renowned cybersecurity expert known for his expertise in ethical hacking and vulnerability research. With a background in computer science and extensive experience in the cybersecurity industry, Moyal has made significant contributions to enhancing digital security and raising awareness about cyber threats. His work spans across various domains, including penetration testing, malware analysis, and security research, making him a respected figure in the cybersecurity community.
A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.
Comments