A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation. After disputes occurred between members of the Babuk gang, Orange split off to start RAMP and is now believed to be a representative of the new Groove ransomware operation. Yesterday, the threat actor created a post on the RAMP forum with a link to a file that allegedly contains thousands of Fortinet VPN accounts.
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. Fortinet is aware that a malicious actor has disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that were unpatched against at the time of the actor’s scan, but may since have been patched but the passwords not reset.
The list of the victims is also available for anyone to check.