Hackers exploited Fortinet CVE-2018-13379 vulnerability to extract the data

In a significant data leak, the usernames and passwords of about 5 lakh Fortinet VPN customers were published on the internet, according to reports. It is believed that the list comprises data from about 12,856 devices from all around the world, according to the information available.

The credentials for Fortinet have been made available for free by a threat actor going by the name of ‘Orange.’ According to a report published by BleepingComputer, Orange is the administrator of the recently created RAMP hacker forum and has previously been associated with the Babuk ransomware campaign.

Citing a Fortinet vulnerability in a blog post that included the URL to the stolen credentials, Orange says that the credentials were scraped by a Fortinet weakness. Even though the security flaw has now been fixed, the stolen VPN credentials, which include usernames and passwords, are still being used today. You may also be interested to know How to Choose the Best VPN to Protect Your Privacy?

Fortinet said in a statement to the media agency that the data was stolen from computers that had not been patched with the latest security patch since 2019. In response to a hostile actor disclosing SSL-VPN credentials to access FortiGate SSL-VPN devices, Fortinet has taken the following action: “The credentials were acquired from computers that had not yet installed the patch update that was released in May of this year.”

“Since May 2019, Fortinet has consistently engaged with customers, encouraging them to adopt mitigations, including corporate blog articles in August 2019, July 2020, April 2021, and June 2021,” the company continued. The company also announced that it will be sending “another alert strongly advising that consumers perform both the patch upgrade and password reset as soon as possible.”

For the time being, the file containing the leaked credentials is being stored on a Tor storage server. BleepingComputer has confirmed that the file contains VPN credentials for 498,908 users and that all of the IP addresses tested were Fortinet VPN servers after analyzing the file. Advanced Intel also confirms that the information has been gathered from people all around the world. Another source verified that at least part of the credentials that had been released was genuine since it was able to validate them lawfully in the process.

Because it is such a large data set, and because it has been made available for free, it is now impossible to determine the objectives of the hackers. Although Advanced Intel CTO Vitali Kremez speculates that the disclosed data was made public to promote the RAMP hacking forum by providing a “freebie” for members, he does not believe this is the case.

On top of his involvement with the RAMP ransomware forum, the threat actor Orange is also suspected of being a representative of the new Groove ransomware operation, which has so far only mentioned one victim on its data dumpsite. The article containing the stolen data from Fortinet was also found on the data dumpsite for the Groove ransomware. The operation may be attempting to recruit new threat actors to their system by publishing the free data.

Because it allows hackers to get access to a network, the data breach is extremely significant because it opens the door for them to extract data, install malware, or launch ransomware attacks. Fortinet users are thus recommended to update to the most recent service patch and to execute a forced password reset for all of their accounts. Besides that, they should examine their logs for any suspected intrusions.