Woodkirk Stone
A threat actor has disclosed around 500,000 Fortinet VPN login credentials that have allegedly been stolen from 87,000 vulnerable devices since 2019.
Identified as “Orange,” the hacker was initially a member of the Babuk ransomware operation, but split up to form another cybercrime company, the RAMP Hack Forum. Its former Babuk ransomware group attempted to extort $ 4 million from the Washington DC Metropolitan Police in May this year.
The malicious actor is also believed to be a member of the GROOVE ransomware operation.
According to the hacker, the exploited VPN vulnerability was already fixed, but the credentials were still valid. Various sources have confirmed the validity of some compromised VPN accounts. Groove ransomware gang also listed credentials leaked on their data leak site.
Cyber ​​security experts believed the hacker freely posted the login credentials to promote the RAMP hacking forum.
Leaked Fortinet VPN Accounts Are Valid
Fortinet has acknowledged the data breach, which it claims occurred between May 2019 and June 2021.
“Fortinet is aware that a malicious actor has disclosed SSL-VPN credentials to access FortiGate SSL-VPN devices,†the company said. “The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with its customers to urge them to implement implementing mitigation measures, including corporate blog posts in August 2019, July 2020, April 2021, and June 2021.
Bleeping Computer analyzed the file and confirmed that the IP addresses were from valid Fortinet VPN servers. The tech website‘s source also confirmed that some of the leaked Fortinet VPN accounts were valid. Threat intelligence firm Advanced Intel also checked VPN accounts and found that 2,959 out of 12,856 devices were in the United States.
Vulnerability remains a problem after more than two years
Cyber ​​security experts believed hackers exploited Fortinet vulnerability CVE 2018-13379 to harvest leaked Fortinet credentials.
Described as a path traversal vulnerability in Fortinet’s FortiOS SSL VPN web portal, the vulnerability allows an unauthenticated attacker to read arbitrary files, including the sessions file.
Worse yet, Fortinet stored login credentials in plain text format. Although Fortinet fixed this vulnerability in May 2019, many VPN devices have not implemented the patch. Likewise, affected customers may have already been compromised before applying the fix.
“An ongoing challenge for many companies is the lack of a complete and accurate inventory of all of their assets,†says Jamie Lewis, Venture Partner, Rain Capital. “IT professionals, CISO and BISO do not have the means or the capacity to understand their environment in real time to make risk assessments.
The flaw was among the most exploited vulnerabilities in 2020, according to a review from Five Eyes members in the US, UK and Australia.
Threat actors exploited the vulnerability to execute ransomware attacks
Likewise, the Russian Foreign Intelligence Service (SVR) has regularly exploited the loophole in its cyber espionage campaign, according to a joint US and UK cybersecurity advisory.
Compromised VPN accounts are among the most popular initial access methods for ransomware operators. Threat actors buy them to reduce the effort required to deploy ransomware on their victims’ networks.
Fortinet recommends that its customers implement both the fix and reset their VPN account passwords to avoid further compromises.
A list of IP addresses associated with compromised VPN accounts is available on GitHub. Details have been stripped of any sensitive information. Fortinet customers should check if their IP addresses are on the list and take the necessary steps to secure their VPN accounts.
“As businesses and users begin to adopt passwordless authentication methods such as ‘phone as token’ and FIDO2 for customer and single sign-on (SSO) portals and enterprise applications, vulnerabilities still exist in entire categories of cases such as third-party sites. , VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure), all of which are particularly vulnerable in the current explosion of WFH, â€noted Rajiv Pimplaskar, CRO, Veridium.