A threat actor identified as “Orange,” who broke off from an older Babuk ransomware gang became the leader of a new RAMP hacking forum and runs the new Groove ransomware operation, reportedly leaked almost 500,000 passwords, perhaps to promote the new operation and recruit other hackers.

These 500,000 credentials include logins and usernames of Fortinet VPN scraped from vulnerable devices in the past months exploiting Fortinet vulnerability. Although the bug was rectified in May 2019, multiple attackers have successfully exploited the security flaw to deliver a variety of malicious payloads to unpatched devices. In August 2019, July 2020, April 2021, and June 2021, Fortinet issued a series of recommendations asking users to upgrade impacted appliances.

Virtual Private Networks, VPNs have been used for a period of time to hide actual location and activities on the internet. It could be for security purposes or for breaking into region locks. It is one definite arsenal in network security, as enterprise use it for secure communication and transfer but it is not bulletproof especially when it’s the VPN itself getting attacked. This is the situation Fortinet VPN users have found themselves in as at 9^th of September, reporting date.

Fortinet’s scalable, high-performance VPNs ensure organizations maintain consistent security policies and access control across all their applications, devices, and users, regardless of their location. It provides secure communication between multiple endpoints and networks through IPsec and SSL technologies.

However, the network provider confirmed that a malicious actor had unauthorizedly leaked VPN login names and passwords associated with 87,000 FortiGate SSL- VPN devices. These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s raid. CVE-2018-13379 is a vulnerability in the FortiOS SSL VPN web portal, that allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. This affects integrity of Fortinet VPN considering the fact that threat actors can further steal data or install ransomware on other computers. It has emerged as one of the top most exploited flaws in 2021 according to a list compiled by intelligence agencies in Australia, the U.k, and the U.S earlier this year.

The file containing the leaked credentials is currently hosted on a Tor storage server since it is a huge data set and it has been leaked for free.  The intentions of the hackers are yet unknown as it is a mystery why the threat actor released the credentials rather than using it for himself.  The “Advanced Intel” CTO Vitali Kremez speculates that the hacked material was made public in order to promote the RAMP hacking forum by giving participants a “freebie.”

This leak jeopardizes the security and integrity of Fortinet VPN servers although enterprises and users are starting to adopt password less authentication methods like ‘phone as a token’, FIDO2 for customer, Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable.  Put link for previous article

The only applicable recourse at this point that can be taken is for server owners to conduct immediate remediations.

WHAT ARE THE POSSIBLE REMEDIATIONS? WHAT SHOULD FORTINENT VPN ADMINS DO?

• Upgrade all affected devices to FortiOS 4.13, 5.6.14, 6.0.11, or 6.2.8 and above.
• If you do not plan to upgrade your FortiOS, immediately disable the VPN

• Take all credentials as compromised and perform an organization wide pass word reset.

• Notify users to explain the reason for the password reset and monitor services.

Note: There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.

Research Sources; Bleeping Computers, Threat Post, Hackers News, Slash Gear