Breach at the FortiGate

500,000 online credentials: that's the theft against Fortinet VPN Adriano SPADARI September 9, 2021

From Tuesday 7th, RAMP 498,908 login credentials to 87,000 FortiGate SSL-VPN devices are online on the Russian-speaking forum. As admitted by the American multinational itself, these are usernames and passwords through which people connect to virtual private networks that guarantee user data protection and anonymity on the web. The Cybercriminal, known as Orange, according to some insiders belonging to the Groove collective - who seems to have something to do with Babuk, of whom we had already spoken about the attack on the Metropolitan Police Department (MPD) of the District of Columbia and in following to the detriment of people -, has chosen to disclose the huge loot for free, through a link that leads to a page available through Tor. The flaw (among the 30 most exploited in 2020) is attributable to a vulnerability - FG-IR-18-384 / CVE-2018-13379 -, discovered in April 2019, for which the American company had issued as of the following May several PSIRT reports and patches that, it is assumed, were not installed on the 12,856 devices targeted in 74 different countries, including Italy. Previous versions of FortiOS allowed access to system files via specific HTTP requests and without authentication to the web portal. For this reason, the company had also urged all customers to update the software and then reset their credentials. It should be remembered that malicious access to Fortinet VPN accounts of both individuals and companies that use compromised VPN appliances would allow them to infiltrate networks, steal sensitive data, install malware or, worse still, exploit them as a vehicle to launch ransomware attacks. As if that weren't enough, Orange himself admitted that most of the stolen credentials are still valid. For this reason, it was Fortinet itself, on 8 September, to suggest to its customers a forced reset of all passwords and a log check in order to verify that no suspicious access has been made.