UPDATE: A spokesperson for Fortinet provided us with the following statement regarding the VPN leak:
“The security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in August 2019, July 2020, April 2021 and June 2021.
Original Story:If you’re a hacker attempting to promote a new hacking forum and ransomware operation, what’s a great way to grab everyone’s attention? By leaking the login details of 498,908 VPN accounts for free online.
As Bleeping Computer reports, that’s exactly what a hacker who goes by the name “Orange” has done. Orange used to be a member of the Babuk ransomware operation, but split to launch a new hacking forum called RAMP and a new ransomware operation called Groove.
The leaked details are for the Fortinet VPN, with the nearly 500,000 accounts potentially offering access to 12,856 devices, 2,959 of which are located in the US based on the IP addresses included with the leaked information. An analysis by Advanced Intel confirmed all the IP addresses are for Fortinet servers and Bleeping Computer has been told at least some of the logins are valid.
Fortinet is an American multinational founded in 2000 by brothers Ken and Michael Xie. The company specializes in selling enterprise cybersecurity solutions, including firewalls, antivirus, antispyware, web filtering, wireless security, intrusion prevention, and a VPN solution. This huge collection of account logins was stolen due to multiple vulnerabilities discovered in Fortinet FortOS as reported by the Cybersecurity & Infrastructure Security Agency back in April.
It’s thought Orange decided to share these details so as to attract other hackers to the RAMP forum and therefore grow the new Groove ransomware operation. For Fortinet customers, it’s a case of changing VPN account passwords for all users as soon as possible if its hasn’t already been done. As some logins are still valid, that clearly didn’t happen in the months since the vulnerabilities were reported.