A previously patched Fortinet VPN vulnerability has again been exploited. The threat actor, identified as “Orange,” allegedly exploited the Fortinet CVE-2018-13379 vulnerability and leaked over 500,000 login credentials of the Fortinet VPN users on the dark web.
VPNs are meant for private communication, and their functionality is to secure and manage private networks. But if your security itself is breached, the consequences are devastating, as it exposes the network to malware and ransomware attacks.
The list of user accounts was leaked for free on a dark web forum to give access to other threat actors to perform malicious activities on the compromised devices. According to AdvIntel, a threat prevention and loss avoidance firm, a new ransomware group, dubbed Groove, which became more active in August and September 2021, released leaks of Fortinet VPN SSL credentials via their leak website on September 7, 2021. 799 directories and 86,941 compromised VPN connections were reportedly on the list.
Orange, who was allegedly a part of the Babuk ransomware gang before, is believed to be the leader of the RAMP hacking forum and also a part of the Groove ransomware-as-a-service operation.
In a Twitter thread to Bleeping Computer, @CryptoCypher shared a cleaned list of the IP addresses for the Fortinet VPN victims.
Looking for the Fortinet VPN victim list from today’s news? I parsed it for you, fellow researchers: https://t.co/M7o3XmOgYE
I used reverse DNS to add more context to the IP addresses and removed usernames and passwords. #Fortinet #CTI #DataLeak #DataBreach https://t.co/kxJ7K9mc5N
— Cypher (@CryptoCypher) September 8, 2021
Hackers leak passwords for 500,000 Fortinet VPN accounts – @LawrenceAbramshttps://t.co/1oQfe2L0I4
— BleepingComputer (@BleepinComputer) September 8, 2021
Advice
Experts have recommended disabling all VPNs, upgrading the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, installing the latest patches, and resetting the password across the organization to avoid potential risks.
Attacks against Fortinet’s SSL-VPN
Nuspire, a managed security services provider (MSSP), in its 2021 Q1 Threat Landscape Report witnessed a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN.
As more and more organizations had to resort to the remote and hybrid work environment, threat actors also took action, leveraging on the opportunities around the exposed landscape and actively continue to do so.
“2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods,” said J.R. Cunningham, Nuspire Chief Security Officer.
The benefit of a VPN is that it provides access to resources inaccessible on the public network and is typically used for telecommuting/remote workers. Encryption is common, although not an inherent part of a VPN connection.
Zcsaler’s 2021VPN Risk Report, which was based on the responses of over 350 cybersecurity professionals, highlighted that 72% of organizations expressed concern over VPN endangering the IT systems’ ability to keep their environments secure. Interestingly, 67% of enterprises are considering a remote access alternative to a traditional VPN. With zero trust model gaining significance, 72% of companies are prioritizing the adoption of a zero trust model given the shift to the remote work environment. It also reflected on the level of awareness among the user community and cited that 93% of companies are leveraging VPN services, and yet 94% are aware of VPNs being targeted by threat vectors to gain access to network resources and spread malware and ransomware.
