A threat actor claimed to have leaked a list of almost 500,000 usernames and passwords of Fortinet’s security products. The list was allegedly obtained from compromised devices in the summer.
The leaked credentials could allow attackers to gain access to networks and execute various types of attacks.
The credentials of security firm Fortinet were leaked on RAMP hacking forum by a threat actor named “Orange” who is the maintainer of the forum.
Orange was a part of the Babuk gang, but internal disputes led him to go part ways and form RAMP. He is also believed to be the representative of Groove ransomware.
On 7th September, he posted a link to a file that supposedly contained over 50,000 verified usernames and passwords for users of Fortinet’s VPN servers on the RAMP forum. Files were hosted on a data leak site of the Groove ransomware gang.
Advanced Intel’s analysis detected that 2,959 address ranges for the devices affected by the vulnerability are in the US.
A source also said that they could verify that a part of those leaked passwords was legit. It is believed that these threat actors used the credentials to promote the RAMP hacking forum and Groove ransomware:
“We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a “freebie” for wannabe ransomware operators,” Advanced Intel CTO Vitali Kremez told BleepingComputer.
So far, only one victim is known to be affected by the new ransomware operation, Groove. Its goal is to hire other threat actors to its affiliate system.
There is no way to verify the credentials of individuals that these threat actors are claiming to have stolen. Hence, all administrators of a Fortinet server should proceed with the assumption that the credentials listed by the hackers are valid.
The only solution right now for all users is to reset their passwords and run a check on their activity log for any suspicious activity. They are also advised to install the latest patches to be on the safer side.