This summer, a hacker leaked a list of almost 500,000 Fortinet VPN login names and passwords.
This data was allegedly extracted from exploitable devices.
This leak is a serious incident because VPN credentials could enable malicious actors to access a network to perform data exfiltration, install malware and carry out ransomware attacks.
Even though we regularly warn of cyber-attacks and advocate prevention and vigilance when it comes to the security of your IT data, a reminder is never too much.
A look back at this act of piracy, its consequences and what you can do to avoid it.
Fortinet credentials leaked on a hacking forum: update on this VPN data leak
The list of Fortinet credentials was leaked for free by a threat actor known as "Orange", who is the administrator of the new RAMP hacking forum and a former operator of the Babuk Ransomware operation.
After disputes between members of the Babuk gang, Orange split off to launch RAMP and is now considered a representative of the new Groove ransomware operation.
This menacing hacker created a post on the RAMP forum with a link to a file containing thousands of Fortinet VPN accounts.
At the same time, an article appeared on the Groove ransomware data leak site also promoting the Fortinet VPN leak.
Both publications lead to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to pressure ransomware victims to pay.
The consequences of this data leak
According to BleepingComputer, which analyzed this file, it contains VPN credentials for 498,908 users on 12,856 devices.
Although BleepingComputer is not tested if any of the credentials disclosed were valid, it can however confirm that all the IP addresses it has checked are Fortinet VPN servers.
Following In response to this data leak, Infologo went to check that our customers were not included in the leaked database.
Fortunately, none of our customers fell victim to the hack.
How can you avoid this type of cyber-attack?
First of all, if you're a Fortinet VPN server administrator, you should assume that most of the credentials listed are valid and take precautions.
These precautions include performing a forced reset of all user passwords to be on the safe side, and checking your logs for possible intrusions.
If anything looks suspicious, you should immediately ensure that the latest patches are installed, investigate further and make sure that your user's passwords are reset.
Finally, to check whether a device is part of the leak, security researcher Cypher created a list of the leaked device's IP addresses .
The most important thing to remember is that you must remain vigilant to any action you find suspicious.
In terms of prevention, to reinforce VPN access security, we recommend setting up dual authentication on FORTIGATE routers.
This is made possible by TOKEN licenses.
For more information on this subject, and to enhance your security, don't hesitate to contact us.
We'll help you take the right steps to ensure your safety.
