Last summer, a threat actor allegedly leaked a list of nearly 500,000 Fortinet VPN login names and passwords scraped from exploitable devices.
While the exploited Fortinet vulnerability has been patched, the threat actor claims that many VPN credentials are still valid.
This is a serious breach because the VPN credentials could be used by threat actors to gain access to a network and perform data exfiltration, malware installation, and ransomware attacks.
Fortinet credentials were leaked on a hacking forum
The threat actor, who goes by the moniker “Orange,” was able to apparently leak a trove of usernames and passwords on a dark web forum.
While cybercriminals will often try their hardest to sell or use massive amounts of data for their own nefarious purposes, Orange appears to have made a massive amount of data available for free.
After a feud between Babuk gang members, Orange split off to form RAMP and is now thought to be a representative of the new Groove ransomware operation.
Babuk is a well-known ransomware gang that attempted to extort millions of dollars from the Washington D.C. Metropolitan Police Department earlier this year.
Groove has only recently launched a cybercriminal forum called RAMP, and researchers have speculated that the gang may have leaked the VPN accounts to draw attention to their own new business venture.
The threat actor posted a link to a file allegedly containing thousands of Fortinet VPN accounts on the RAMP forum yesterday.
At the same time, a post promoting the Fortinet VPN leak appeared on the Groove ransomware’s data leak site.
Both links point to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to compel ransomware victims to pay.
According to an analysis, this file contains VPN credentials for 498,908 users across 12,856 devices.
Advanced Intel’s investigation revealed that the IP addresses belong to devices all over the world, with 2,959 of them in the US.
According to Kremez, the Fortinet CVE-2018-13379 vulnerability was used to collect these credentials.
A source in the cybersecurity industry was able to legally verify that at least some of the leaked credentials were valid.
It’s unclear why the threat actor chose to release the credentials rather than keep them for themselves, but it’s thought to be to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation.
Groove is a new ransomware operation with only one victim listed on their data leak site right now. They may be hoping to recruit other threat actors to their affiliate system by offering freebies to the cybercriminal community.
Virtual private networks, or VPNs, are designed to protect users’ personal information as well as their online activity. If hackers gain access to them, it could turn into a nightmare, according to reports. The SolarWinds hack, which reportedly began with malware, was one of the largest hacks that occurred as of 2021.
What should administrators of Fortinet VPN servers do?
If you are a Fortinet VPN server administrator, you should assume that many of the credentials listed are valid and take precautions.
To be safe, you should perform a forced reset of all user passwords and review your logs for possible intrusions.
If anything appears to be suspicious, make sure you have the latest patches installed, conduct a more thorough investigation, and reset your users’ passwords right away.