The Case For Just-In-Time Credentials and Zero Trust Access: Fortinet VPN Credentials Compromised

On September 8 2021, a threat actor released a list with half a million username and passwords for Fortinet VPN deployments. This is very concerning, as the attacker claims a large portion of these credentials are still valid. As a result, it is now easy for a threat actor to launch a customized campaign, targeting VPN nodes using these  credentials.

How can such an event be prevented in the future? Let’s analyze the stream of cascading risks that led up to this devastating scenario.

Plain-text storage of secrets: Secrets and other sensitive data should never be stored unencrypted, anywhere. Unfortunately, it is too often that secrets are embedded in scripts or code. In this particular case, it seems the vendor logged credentials in clear-text, which in turn could be extracted through a vulnerability. Whereas leaked data that is encrypted, is virtually useless to a bad actor. Added bonus: under GDPR rule, if compromised personal data is encrypted, organizations are likely exempt from the mandate to publicly announce the leak, avoiding reputational damage and hefty fines.

Using static passwords rather than Just-In-Time credentials: Static secrets remain valid for a long period of time, often indefinitely. When compromised, an attacker has ample opportunity to leverage these for malicious acts. Enforcing short time-to-live secrets decreases the threat potential significantly. Better yet, a unified secrets management solution, like the Akeyless Vaultless Platform provides features like automated secret rotation, as well as just-in-time temporary credentials creation, which ensures new credentials are used for every new authenticated and authorized session and are set to expire when no longer needed. This centralized, automated approach to secrets management reduces risk, and saves valuable time.

VPNs are the gateway to your kingdom: A VPN gateway is a critical and sensitive component of your network and must be managed with extra priority, given its known vulnerabilities. After all, its design principle provides public access on one side, and then provides access to entire private network segments on the other side. It should go without saying, it is critical to keep an eye out on your vendor’s security alerts and keep your systems up to date.

Newer, more secure technologies like Zero Trust Network Access (ZTNA) are increasingly replacing classic VPNs, and are reducing risk through micro segmentation and more granular, identity-based access control. However, ZTNA still requires architects and administrators to deal with an increasing amount of network complexity. In these days where infrastructure is as fluid as users and endpoints, application abstraction is key. It is counterintuitive that ZTNA still requires that a great deal of trust is given to your ZTNA provider. 

Fortunately, there are simpler and more secure solutions to enable your remote workforce with access to critical apps and data. Akeyless Secure Remote Access provides a unified solution for Zero Trust Application Access (ZTAA) by enabling seamless authentication, just-in-time access, and a least privilege approach. Additionally, Akeyless has zero knowledge of your credentials, certificates, and keys as part of its innovative DFC technology.