500,000 Fortinet VPN credentials are leaked by cyber attackers

September 16, 2021
500000 Fortinet VPN credentials leaked cyber attackers dark web hacker forum

A record of nearly 500,000 login names and passwords from Fortinet VPN has been leaked by cyber attackers, wherein these details were said to have been scraped from exploitable devices in the past months. The attackers clarify that the Fortinet exploited vulnerabilities were patched and that many VPN credentials are still deemed valid. 

The VPN scraped credentials enable attackers to access a network to execute data exfiltration, making this leak a grave problem. Moreover, attackers can as well install malware and operate ransomware attacks on their victims. 


The leaked Fortinet VPN credentials are found on a hacking forum site 

The threat actor named “Orange” was behind the recent leaking of the Fortinet credentials. In fact, the records were leaked for free. The “Orange” threat actors were also the administrators of RAMP – a recently launched hacking forum. They were also the old administrators of the ransomware operation called “Babuk”. 

In the past, the Orange group has decided to split off from the members of the Babuk gang coming from an occurred disagreements. After separating, Orange started the hacking forum RAMP and became the representative of a new ransomware operation called Groove. 

From the RAMP forum, the Orange group has created a post that links to a file that is said to have to contain thousands of VPN accounts from Fortinet. Concurrently, a similar post has been shown on the ransomware operation Groove leak site, which also promotes the same Fortinet VPN leak. Both posts from different leak sites lead to a Tor storage hosted server utilized by the Groove group hosting stolen, leaked files, forcing their ransomware victims to negotiate with them. 

From the analysis of the cyber researchers, the files appear to be containing 498,908 users over 12,856 devices of VPN credentials. All of the recorded IP addresses were confirmed to be VPN servers of Fortinet, though it is not tested if the leaked credentials are all valid. 

As of writing, the threat actors have not stated why they released the credentials aside from personal gain. However, researchers assume that this tactic is for them to promote the new hacking forum RAMP and the Groove ransomware operation. 

Even though Groove could be relatively new to the ransomware landscape and that only one victim is listed on their leak site as of now, their tactics of offering free data leaks to the cybercrime population may be a way for them to recruit more affiliates in the future. 


Researchers advise Fortinet VPN server admins to further their precautionary methods 

As an administrator of Fortinet VPN servers, it is safe to assume that most of the listed credentials are authorized and take precautions even though some researchers could not legally verify them. The precautions include a forced reset operation to all of the user passwords for safety. It is also important to do a daily checking of logs to check any possible attacks or intrusions. 

We did our research regarding the ransomware group’s page as we had been routinely visited this page for our scans. Thus, the news broke that the Fortinet issue has been dragged. We advise all users of any VPN providers to change their credentials too. Who knows when your account is next. 

About the author

Leave a Reply