Fortinet VPN accounts data leaked

Credentials stolen from 87,000 unpatched Fortinet SSL-VPNs have been uploaded online. This shocking news was confirmed by Fortinet in a blog post from Wednesday published on their website.

Fortinet VPN Leaked 1024x455

Security experts, however, suspect that the number is much higher. According to the information that is available, a threat actor who claims to have stolen almost half a million Fortinet VPN passwords last year, has leaked a file that includes the VPN credentials for 498,908 users on 12,856 machines. The analysis of the file reveals that, all of the IP addresses are valid Fortinet VPN servers, although the passwords have not been tested.

Another analysis reveals that the IP addresses belong to devices from all around the world. As per the details that have been disclosed, 22,500 entities have been affected in total, with 2,959 of them located in the United States.

While Fortinet has yet to respond to requests for clarification on how many devices were compromised, the company has confirmed that the attackers had exploited a path traversal weakness in Fortinet’s FortiOS (FG-IR-18-384 / CVE-2018-13379), a vulnerability discovered in 2018 and which has been repeatedly exploited since then.

A patch for the flaw was released in May 2019 and since then, Fortinet has reminded its customers multiple times to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. However, even if IT staff patch their VPNs, they must also change device passwords to avoid security risks.

The vulnerability, which was ranked as one of the top 30 most exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA), allows an unauthenticated attacker to download system files by using specially crafted HTTP resource requests via the SSL VPN web interface.

How to Keep Your VPN Safe

Users who want to see if their version is affected by the vulnerability that is responsible for this credential leak can do that by checking Fortinet’s advisory.

Organizations that have been running a vulnerable version are advised to disable all VPNs, upgrade the affected devices without a delay, perform an organization-wide password reset and apply multi-factor authentication, according to Fortinet’s security recommendations.

Researchers are warning that the potential impact of the data leak incident that happened due to this flaw could be significant since attackers may exfiltrate data, install malware, and start ransomware attacks by using the exposed VPN credentials.

More details on the credentials leak reveal that a threat actor known as Orange – who has previously operated the Babuk ransomware campaign and who runs the newly established RAMP hacking forum – was behind the release of Fortinet credentials. What is more, the RAMP forum was used by Orange on Tuesday to host a post which linked to a file containing hundreds of Fortinet VPN accounts.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment