How Threat Actors Hijack Credentials for 500,000 Fortinet VPN Accounts

An attacker has exposed a list of around 500,000 Fortinet VPN login names and credentials that were purportedly difficult from exploitable devices last summer. While the attacker that the exploited Fortinet’s vulnerability has since been patched, they assert that many VPN passwords are still authorized.

This leak is a serious incident as the VPN passwords could permit the attackers to access a network to perform data exfiltration, install Trojan and execute the ransomware attacks.

Fortinet Passwords Exposed on a Hacking Forum

A list of Fortinet passwords was leaked for free by an attacker known as ‘Orange,’ who is the administrator of the newly started RAMP hacking forum and a past operator of the Babuk Ransomware operation.

After the conflict occurred between the members of the Babuk group, Orange split off to initiate RAMP and is now expected to be a representative of the advanced Groove ransomware operation.

In previous days, the attackers generated a post on the RAMP forum with a link to a file that suspected contains thousands of Fortinet VPN accounts.

How-Threat-Actors-Hijack-Credentials-for-500000-Fortinet-VPN-Accounts-image1

At the same time, a post comes on Groove ransomware’s data leak site also promoting the Fortinet VPN leak.

How-Threat-Actors-Hijack-Credentials-for-500000-Fortinet-VPN-Accounts-image2

Both of the posts lead to a file hosted on a Tor storage server used by the Groove group to host hijacked files leaked to pressure the ransomware victims to pay. Our experts examine this file that shows that it contains VPN passwords for 498,908 users over 12,856 devices.

While we did not test if any of the leaked passwords were authorized, our experts can confirm that all of the IP address we checked are Fortinet VPN servers. Moreover examine conducted by Advance Intel shows that the IP address is for devices across the world, with 2,959 devices located in the USA.

How-Threat-Actors-Hijack-Credentials-for-500000-Fortinet-VPN-Accounts-image3

Kremez told our experts that the now-patched Fortinet CVE-2018-13379 vulnerability was exploited to collect these credentials. A source in the cybersecurity industry told our experts that they were able to legally verify that at least some of the leaked credentials were valid.

However, some sources are giving mixed answers, with some saying many credentials work, while others state that most do not. It is still not clear why the attacker released the passwords rather than using them for themselves, but it is believed to have been done to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation.

“We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a “freebie” for wannabe ransomware operators.” Advanced Intel CTO Vitali Kremez told our experts.

Groove is a relatively new ransomware operation that only has one victim currently listed on their data leak site. However, by offering freebies to the cybercriminal community, they may be hoping to recruit other threat actors to their affiliate system.

What Should Fortinet VPN server Admins Need to do?

While our experts cannot legally verify the list of credentials, if you are an administrator of Fortinet VPN servers, you should assume that many of the listed credentials are valid and take precautions.

These precautions include performing a forced reset of all user passwords to be safe and to check your logs for possible intrusions.

How-Threat-Actors-Hijack-Credentials-for-500000-Fortinet-VPN-Accounts-image4

If anything looks suspicious, you should immediately make sure that you have the latest patches installed, perform a more thorough investigation, and make sure that your user’s passwords are reset.

To check if a device is part of the leak, a security researcher has created a list of the leaked device’s IP addresses.

While Fortinet never responded to our emails about the leak, after we emailed them about the incident they published an advisory confirming our reporting that the leak was related to the CVE-2018-13379 vulnerability.

“This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers.

And because customer safety is our top preference, Fortinet consequently issued various corporate blog posts detailing this issue, actively assisting customers to upgrade affected devices. In addition to advisories, bulletins, and direct interactions, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021.” – Fortinet.

Leave a Reply