Fortinet website in browser with company logo showing data leak of VPN accounts

Threat Actor Leaks Login Credentials Of About 500,000 Fortinet VPN Accounts

A threat actor leaked about 500,000 Fortinet VPN login credentials reportedly stolen from 87,000 vulnerable devices since 2019.

Identified as “Orange,” the hacker was initially a member of the Babuk ransomware operation but split to form another cybercrime enterprise, the RAMP hacking forum. His former group Babuk ransomware had tried to extort $4 million from Washington D.C. Metropolitan police in May this year.

The threat actor is also suspected to be a member of the GROOVE ransomware operation.

According to the hacker, the exploited VPN vulnerability was already patched, but the credentials were still valid. Various sources confirmed the validity of some compromised VPN accounts. Groove ransomware gang also listed the leaked credentials on its data leak site.

Cybersecurity experts believed the hacker freely released the login credentials to promote the RAMP hacking forum.

Leaked Fortinet VPN accounts are valid

Fortinet acknowledged the data leak, which it says occurred between May 2019 and June 2021.

“Fortinet is aware that a malicious actor has disclosed SSL-VPN credentials to access FortiGate SSL-VPN devices,” the company said. “The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in August 2019, July 2020, April 2021, and June 2021.”

Bleeping Computer analyzed the file and confirmed that the IP addresses were from valid Fortinet VPN servers. The technology website’s source also confirmed that some of the leaked Fortinet VPN accounts were valid. The threat intelligence firm Advanced Intel also verified the VPN accounts and found that 2,959 out of 12,856 devices were located in the United States.

Vulnerability still an issue after more than two years

Cybersecurity experts believed that the hackers exploited Fortinet’s CVE 2018-13379 vulnerability to harvest the leaked Fortinet credentials.

Described as a path traversal vulnerability in Fortinet’s FortiOS SSL VPN web portal, the vulnerability allows an unauthenticated attacker to read arbitrary files, including the sessions file.

Even worse, Fortinet stored the login credentials in plaintext format. Although Fortinet patched this vulnerability in May 2019, many VPN devices did not implement the patch. Similarly, the affected customers were possible already compromised before applying the patch.

“A continuing challenge for many businesses is the lack of a complete and accurate inventory of all their assets,” says Jamie Lewis, Venture Partner, Rain Capital. “IT professionals, CISOs and BISOs do not have the means or ability to understand their environment in real time to make assessments of risk.”

The flaw was among the most exploited vulnerabilities in 2020, according to an advisory from Five Eyes members US, UK, and Australia.

Threat actors exploited the vulnerability to execute ransomware attacks

Similarly, the Russian Foreign Intelligence Service (SVR) routinely exploited the flaw in its cyber espionage campaign, according to a joint cybersecurity advisory by the US and UK.

Compromised VPN accounts are among the most popular initial access methods for ransomware operators. Threat actors buy them to reduce the effort required to deploy ransomware on their victims’ networks.

Fortinet recommends that its customers should implement both the patch and reset their VPN accounts’ passwords to prevent further compromise.

A list of IP addresses associated with the compromised VPN accounts is available on GitHub. The details were stripped of any sensitive information. Fortinet customers should check if their IP addresses appear on the list and take the necessary steps to secure their VPN accounts.

“While enterprises and users are starting to adopt passwordless authentication methods like ‘phone as a token’ and FIDO2 for customer and Single Sign-On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion,” noted Rajiv Pimplaskar, CRO, Veridium.