Why VPN bugs have been ignored, password leaks one after another

Details concerning VPN authentication leaked from Fortinet’s protection devices. User IDs and plaintext passwords were leaked by around 600 organisations in Japan, such as the Gifu Prefectural Administration. The trigger was a flaw in the protection devices’ SSL-VPN feature. Many of the victims were unaware of the flaw and did not have the fix applied. VPNs are constantly targeted owing to the accelerated proliferation of telework due to the recent corona virus.

“Is there a professional (information security)?” The Gifu Prefectural Office got harsh voices from the people of the prefecture in early December 2020. Authentication information leaked from the security equipment of Gifu Prefectural Government, such as ID and password for using the VPN (Virtual Private Network) feature. It was only after the local newspaper on the front page announced this fact.

In UK & Japan, roughly 600 companies have leaked authentication data
The leakage of VPN authentication information was discovered on 26 November by the individual in charge of the Information Planning Section, who is responsible for formulating IT plans and maintaining information security at the Gifu Prefectural Office. An investigation by a news agency to ascertain the truth of the leakage of information was caused.

On December 1, a local newspaper announced that the person in charge of the Information Preparation Division was investigating the truth and taking steps. The person in charge of the section was busy describing to the governor the situation and talking to the media.

As a result of a variety of inquiries, by misusing the leaked VPN authentication information, no proof of unauthorized access to the device inside the prefectural office was found. “If you make a mistake, important information may have been leaked to the outside.”If you make an error, major information may have been leaked to the outside.

On November 26, the Information Planning Division disabled the VPN feature of protection devices and is undertaking a thorough analysis of settings for related devices. “We will not leave it to our partner companies, but will thoroughly implement a policy of checking with our own eyes,”We will not leave it to our partner companies, but will thoroughly implement a policy of checking with our own eyes.

The Gifu Prefectural Office is not the only place that has been leaked to the outside with VPN authentication information. In Japan alone, over 600 organisations have been impacted, according to information security experts. Recruit, Aichi Prefecture, Ichinomiya Civic Municipal Hospital, Sapporo University, etc. have already learned the authentication data has been leaked to the outside.

On December 4, 2020, Sapporo University announced that there was a cyber attack on the infrastructure designed for clerical employee teleworking, and nine clerical employees’ IDs were leaked online. The new firmware was implemented on December 2, after disabling the VPN functionality on November 26, and the vulnerability was resolved.

The information provided by the Metropolitan Police Department has revealed, according to some sources, that VPN authentication information has been leaked to the outside.