More than 5 Lakhs credentials of FortiGate SSL VPN are leaked by a ransomware group, in an attempt to enhance its’ visibility and poweress. The credentials were scrapped from unpatched FortiGate SSL VPN devices. All unpatched devices and all credentials not updated continue to be vulnerable for unauthorised access to the organisational networks using stolen credentials.

Threat Actors

On 07th September 2021, the threat actor ‘Orange’ created a post on the RAMP forum with a link to a file that allegedly contains thousands of Fortinet VPN accounts. The purpose of leak is unclear, because the threat actor ‘Orange’ could have used these credentials himself/herself. ‘Orange’ appears to be a breakaway group from Ransomware Group – Babuk. ‘Orange’ has created RAMP hacking forum and also providing ransomware-as-a-service under the name of ‘Grove’

BleepingComputer have quoted Vitali Kremez, CTO, Intel, "We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a "freebie" for wannabe ransomware operators." This assessment is because RAMP hacking Forum and Groove Ransomware operators have hosted the information on TOR storage servers used Groove to host stole file of its victims, to pressurise them to pay up the Ransome.

The Vulnerability

FortiOS 6.0 - 6.0.0 to 6.0.4, FortiOS 5.6 - 5.6.3 to 5.6.7, and FortiOS 5.4 - 5.4.6 to 5.4.12 are impacted operating systems of Fortinet Firewall/VPN devices. The vulnerability CVE-2018-13379 was described as a path traversal flaw, the bug permits unauthenticated attackers to download system files through special crafted HTTP resource requests. The critical vulnerability was awarded a CVSS score of 9.8.

The bug was patched and a fix was released in 2019, including two-factor authentication mitigation. Fortinet and organizations like the NCSC, FBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches. However there remained large number of unpatched systems. These systems were scrapped by the hackers and credentials stolen.

According to BleepingComputer India is the most impacted country. See the distribution chart published by BleepingComputer below.

The Solutions

The company has been warning customers that this vulnerability is being weaponized by hacking groups in the wild and recommended:

• FortiOS 6.0 - 6.0.0 to 6.0.4, FortiOS 5.6 - 5.6.3 to 5.6.7, and FortiOS 5.4 - 5.4.6 to 5.4.12 user must be patched.

• All users who till date were unpatched must refresh their credentials.

• While credential refresh is taking place VPN services should be temporarily disabled while organizations perform password resets.

• Fortinet is also urging customers to upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, which contain the necessary security fixes.

Source: Inputs from & more details at Bleepingcomputer.com and zdnet.com