Skip to main content

Half a million Fortinet VPN passwords leaked online

man annoyed at laptop
(Image credit: fizkes / Shutterstock)

A cybercriminal has released credentials associated with almost half a million Fortinet VPN accounts online.

The account information was supposedly scraped from Fortinet devices, by exploiting a security vulnerability that first came to light in 2019. Although many months have elapsed since a patch was released, many of the credentials remain current, the hacker claims.

The data was made public by a threat actor known as Orange, who has a previous affiliation with the Babuk ransomware operation.

TechRadar Pro has asked Fortinet to verify the authenticity of the data, but has not yet received a response.

Fortinet VPN leak

A link to the data was posted to a new underground forum called Ramp, which Orange now administrates. Commentators have suggested the release of Fortinet VPN account details was a promotional stunt designed to attract new members.

“We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a ‘freebie’ for wannabe ransomware operators,” Vitali Kremez, VTO at Advanced Intel, told Bleeping Computer.

The VPN credentials are hosted on a Tor storage server linked with ransomware group Groove, which was launched only recently. The group has only one known victim to date, but may be looking to use the disclosure as a launchpad for its ransomware-as-a-service operation.

While data breaches of all kinds should be taken seriously, the compromise of VPN accounts is particularly concerning, due to the opportunity for attackers to access secure networks, from which position they could inject malware or exfiltrate sensitive data.

Although the authenticity of the Fortinet VPN credentials has not yet been confirmed, administrators are still advised to take precautionary steps, such as asking users to reset their passwords and checking closely for signs of infiltration.

Update:
Fortinet has since provided the following statement:

"The security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019."

"Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in August 2019July 2020April 2021 and June 2021. For more information, please refer to our latest blog. We will be issuing another advisory strongly recommending that customers implement both the patch upgrade and password reset as soon as possible.” 

Joel Khalili

Joel Khalili is a Staff Writer working across both TechRadar Pro and ITProPortal. He's interested in receiving pitches around cybersecurity, data privacy, cloud, storage, internet infrastructure, mobile, 5G and blockchain.