FOCUS MODE
EXTRACT IOC
Threat Research

Threat Spotlight: Credential Theft vs. Admin Control—Two Devastating Paths to VPN Exploitation

Reliaquest
Threat Spotlight: Credential Theft vs. Admin Control—Two Devastating Paths to VPN Exploitation
This report discusses the ongoing exploitation of older VPN vulnerabilities, particularly CVE-2018-13379 and CVE-2022-40684, highlighting how attackers, including cybercriminal and state-sponsored groups, continue to target these flaws for credential theft and administrative control. The research indicates substantial growth in discussions around Fortinet VPN vulnerabilities on cybercriminal forums, illustrating their significance in the current threat landscape. Affected: VPN infrastructure, organizations using Fortinet, Ivanti, Cisco, SonicWall, Citrix, critical infrastructure, health care, government, education, technology, manufacturing, small- to medium-sized businesses

Keypoints :

  • VPN-related vulnerabilities continue to be key tools for attackers years after disclosure.
  • Significant increase in discussions about Fortinet VPN vulnerabilities on cybercriminal forums.
  • Attackers exploit VPN vulnerabilities mainly through credential theft and administrative control.
  • CVE-2018-13379 remains widely exploited due to unpatched systems and the ease of accessing plaintext credentials.
  • CVE-2022-40684 allows attackers to bypass authentication, gaining administrative control over devices.
  • Both vulnerabilities are linked to ransomware campaigns and have high Exploit Prediction Scoring System (EPSS) scores.
  • State-sponsored groups exploit these vulnerabilities for long-term espionage and network infiltration.
  • Automated tools and AI are enhancing the efficiency and scale of VPN attacks.

MITRE Techniques :

  • TA0043: T1595.002 – Vulnerability Scanning: Detects external recon followed by remote authentication attempts linked to CVE-2018-13379.
  • TA0001: T1190 – Exploit Public-Facing Application: Identifies exploitation attempts related to CVE-2018-13379.
  • TA0003: T1505.003 – Web Shell: Monitors for reverse shell connections post-exploitation.
  • TA0002: T1203 – Exploitation for Client Execution: Covers administrative access gained through CVE-2022-40684.

Indicator of Compromise :

  • [IP Address] 5.5.5.5
  • [IP Address] 192.0.2.1
  • [Domain] malicious[. ]com
  • [Email Address] attacker@example[. ]com
  • [Hash] d41d8cd98f00b204e9800998ecf8427e


Full Story: https://www.reliaquest.com/blog/credential-theft-vs-admin-control-threat-spotlight/

Views: 33

Tags: LATERAL MOVEMENT, FIREWALL, RECONNAISSANCE, CHINA, CLOUD, ZERO-DAY, THREAT HUNTING, PATCH