A vulnerable FortiGate SSL VPN server responds to this request with contents of the sslpvpn_websession file, which contains the username and password of a user. This information can be used or sold to threat actors in order to compile brute force and credential stuffing lists. While reconnaissance campaigns do not actively exploit systems, they enable threat actors to gain valuable information about users.

According to the researchers, the vulnerability was responsibly reported to Fortinet in December 2018 and was fixed in March 2019. This gave users ample time to update their systems before the vulnerability was publicly discussed at Black Hat USA in August 2019.

Conclusion

The campaigns detected in September point to the importance of vendors having a vulnerability disclosure program in place so that good-faith security researchers can report security issues they discover. In the case of Fortinet, the researchers who discovered the vulnerability followed a responsible disclosure process before publicly presenting their research at a major security conference. But in the case of vBulletin, it’s not known whether the anonymous researcher reached out to the company before disclosing the vulnerability online, but it’s pretty certain that many organizations were thrown into panic when they saw the proof of concept exploit posted online. Having a vulnerability disclosure program shows a willingness on the part of the vendor to work well with external security researchers, and more importantly, to have processes in place for handling those vulnerabilities. The goal is to minimize the impact to organizations using those vulnerable products by making patches available as quickly as possible.

As always, there are many defenses enterprises can put in place, and defense in depth is the security approach many organizations use. For most, a web application firewall (WAF) serves as the first line of defense for their applications. One that’s well-monitored, configured, and updated should also be able to stop threat actors from exploiting vulnerable systems within a network.

F5 security researchers continuously monitor new web application exploits to deliver the latest threat intelligence to our customers, as well as the broader IT security community. Join us in continuing the conversation on social media.