Fortinet VPN users are urged to reset their passwords as the company has acknowledged the data to be legitimate.
Popular network security solutions provider, Fortinet, has confirmed that a cybercriminal gang managed to gain unauthorized access to VPN login IDs and passwords linked with 87,000 FortiGate SSL-VPN devices.
Hackread.com can confirm the gang has dumped a trove of around 500,000 login credentials belonging to Fortinet VPN users. This disclosure came after the hacker leaked a list of compromised credentials for free on a recently launched Russian-speaking Dark Web forum called RAMP and on the data leak website of Groove ransomware.
Screenshot of the post on Groove ransomware’s website accessible through Tor browser (Image: Hackread.com)
Furthermore, the breach list contains exclusive access to high-profile companies across 74 countries, including Israel, India, France, Italy, and France, whereas out of 225,500 victims, 2,959 are identified as US entities.
Data Leaked on the Dark Web
The threat actor who leaked Fortinet VPN users’ credentials on a dark web forum goes by the online handle of “Orange.” Moreover, the actor posted most of the information for free on the dark web rather than selling the data to interested parties.
As seen by Hackread.com, the leaked data is in plain-text format and available for download on infamous forums including RaidForums and XSS.
Plain-text Fortinet VPN login credentials (Image: Hackread.com)
On the other hand, Security firm Advanced Intel identified that Orange is a member of the Groove ransomware gang and has previously worked for another prominent ransomware collective known as Babuk. This ransomware gang targeted and extorted the Washington D.C. Metropolitan Police Department earlier in 2021 and raked in millions of dollars.
Previously Vulnerability Led to the Data Leak
Research reveals that the threat actor compromised such a large trove of data by exploiting a previously discovered vulnerability in Fortinet VPN. For your information, back in April, federal agencies alerted the company about multiple security flaws in the company’s VPN that may allow unauthorized individuals to access user data.
Fortinet issued patches for the security flaws, but this didn’t prevent cybercriminals from accessing exclusive login credentials.
“These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,” Fortinet’s statement read.
About the Vulnerability
CVE-2018-13379 is a path traversal vulnerability in the web portal of FortiOS SSL VPN that allows unauthorized people to read arbitrary system files such as session file that contains usernames and passwords in plaintext format. It emerged as one of the most exploited security flaws in 2020 and identified intelligence agencies in the UK, Australia, and the USA.
To prevent further compromise, it is essential to disable all VPNs from Fortinet and upgrade your devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. Also, initiate an organization-wide password reset.
Not for the first time
This is not the first time when hackers have leaked sensitive login credentials belonging to Fortinet products. On 19TH November, a hacker using the alias “pumpedkicks” published 6.7 GB worth of sensitive details citing Fortinet SSL VPNs vulnerability.
