A list containing approx 500,000 Fortinet VPN login credentials used by numerous public and private organizations in 74 countries around the world: in all, 22,500 companies are exposed to this serious data leak, of which 40 in Italy.
The credentials were probably stolen by criminal hackers in recent months using the data scraping, exploiting the CVE-2018-13379 Path Traversal vulnerability present in the FortiOS operating system installed on some Fortigate devices and now fixed.
Stolen credentials could now allow threat actors to breach networks of organizations using compromised VPN appliances and perform malicious activities such as exfiltrating sensitive data, installing malware and launching attacks ransomware.
Web scraping, all about the technique used to steal Facebook and LinkedIn data
What do we know about the Fortinet data leak
the analyses conducted by Advanced Intel experts confirmed that all credentials collected in the data leak are actually associated with Fortinet VPNs and many of these are still valid.
It is not clear why the data leak was “given” to users of the hacking forum and not used directly by the threat actor who disclosed it publicly to carry out malicious activities on their own.
“We believe the SSL VPN leak was likely to be done to promote the new RAMP ransomware forum that offers a ‘giveaway’ for aspiring ransomware operators,” said Vitali Kremez, CTO of Advanced Intel.
The post with a link to a file containing Fortinet VPN accounts was posted by a user who signs with the nickname Orange and who is probably the administrator of the RAMP forum.
At the same time, another post reporting the Fortinet VPN data leak also appeared on the site of the Groove ransomware group dedicated to the publication of data leaks.
Both posts point to a TOR server.
The Orange user himself was already known to be one of the members of the Babuk ransomware group. Following some disputes with the other members, however, he would have separated from the group and would have given life to the RAMP forum used as a “showcase” of the new criminal gang Groove, to whose credit there is currently only one other data leak. The new Fortinet VPN data theft could therefore be a way to “certify” the work done by its members.
How to mitigate the risks
For its part, Fortinet issued an official statement: “The safety of our customers is our first priority. Fortinet is aware that an attacker leaked SSL-VPN credentials to access FortiGate SSL-VPN devices. Credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging implementation of mitigations, including corporate blog posts from August 2019, July 2020, April 2021 and June 2021. We will issue another notice strongly recommending that customers implement both the patch update and password reset as soon as possible ”.
In light of the above, therefore, the administrators of Fortinet VPN servers should consider the fact that the login credentials of their users may have been compromised and proceed, as suggested by the company itself, to a forced reset of all passwords.
It is also useful to check activity and connection logs to check for any intrusions into your networks from suspicious IP addresses.
Finally, it is important to update your devices as soon as possible with the patch released by Fortinet that corrects the vulnerability exploited by criminal hackers to perform the data leak of credentials.
@ALL RIGHTS RESERVED