Near half a million Fortinet VPN passwords exposed online
It follows an FBI warning from April that threat actors were attempting to compromise vulnerable Fortinet FortiOS servers
A criminal has leaked the security credentials for almost 500,000 Fortinet VPNs accounts on a hacking forum.
As reported by BleepingComputer, the credentials were scraped from vulnerable devices last summer and have now been dumped on a dark web forum by an individual going by the moniker 'Orange'.
While cybercriminals often use such data to serve their own purposes or sell it to other hackers, 'Orange' has apparently leaked the trove of user names and passwords for free.
'Orange' is said to be a member of the Groove ransomware group, and the administrator of the newly launched RAMP cybercrime forum. S/he was previously involved with the Babuk ransomware operation, but launched RAMP after disputes between other members of the Babuk gang surfaced.
'[The] Groove data leak website currently has one victim, a manufacturing company based in Germany, whose exfiltrated data was published on August 27, 2021,' according to cyber security firm Advanced Intel.
A post was published on the RAMP forum on Tuesday, linking to a file that contained credentials for nearly 499,00 users. These credentials were allegedly leaked from over 12,856 devices and sourced from as many as 74 different countries.
The file with Fortinet VPN credentials is hosted on a Tor storage server. BleepingComputer analysed the file and found that all of the IP addresses it checked were Fortinet VPN servers.
These accounts are believed to have been compromised through a previously discovered CVE-2018-13379 vulnerability in Fortinet VPN.
In April, the USA's FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned organisations that malicious actors were attempting to compromise vulnerable Fortinet FortiOS servers through multiple bugs in their software.
The company has since issued security updates to address those vulnerabilities.
'Orange' claimed that a large number of credentials leaked were still valid.
Advanced Intel CTO Vitali Kremez said that the hacker(s) published the data publicly simply to promote the RAMP cybercrime forum, and as a recruitment tool.
Threat actors could use the leaked data to access a network to install malware, extract data, or perform ransomware attacks.
Fortinet users are advised to reset their passwords and check logs for possible intrusions. They should also ensure that they have latest patches for the service installed on their systems.