[MART] - Daily Diary #344 - Fortinet VPN Accounts Compromised

CTAS-MAT ctas-mat at appgate.com
Thu Sep 9 22:10:35 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

09/09/2021 - Diary entry #344:

A threat actor named "Orange", administrator of the RAMP hacking forum and a previous operator of the Babuk Ransomware operation, has posted on the RAMP forum a link to a file containing thousands of Fortinet VPN accounts. At the same time, another post appeared on Groove ransomware's wall-of-shame site, also promoting the leak which contains VPN credentials for 498,908 users over 12,856 devices. According to Bleeping, Orange is believed to be also a representative of the Groove ransomware operation. This can be a partnership between RAMP and other groups, as we have seen in the Payload Bin forum.

The credentials were obtained from unpatched systems, using a path traversal vulnerability, tracked as CVE-2018-13379, in the FortiOS SSL VPN web portal. This vulnerability allows unauthenticated attackers to read arbitrary files, like the session file, which contains plaintext credentials. This vulnerability was exploited by multiple threat actors since the date it was disclosed.

This kind of security incident is very dangerous, especially considering the credentials for VPNs used in organizations. The leaked credentials can be used as an entry vector for more complex attacks. For instance, the recent Colonial Pipelines attack, orchestrated by the DarkSide group, used a compromised credential for a legacy VPN appliance. As this didn't implement multi-factor authentication or any additional security measures to allow access to the company systems, the attackers easily used it to deploy their ransomware operation.

It's important for companies using Fortigate VPN to immediately invalidate all credentials if they believe it's possible they were affected by this incident, keep the VPN appliances up-to-date, and implement Multi-Factor Authentication as soon as possible. Adopting a ZeroTrust methodology is also a must, as this can limit the damage of any potential breach and help companies to quickly recover after an incident. We also recommend switching from legacy VPN appliances to a Software-Defined Perimeter, allowing them to authenticate the user and the device before allowing a connection, strengthening the security.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210909/5e75b760/attachment.htm>

More information about the MART mailing list