A set of 500,000 login credentials for VPN services from the security firm Fortinet have been spotted on a hacking forum. Precautionary measures are recommended, just in case.
Fortinet customers using its VPN services would be well advised to change their passwords, if only as a precaution: the site Bleeping Computer, which closely follows news of hacking and data leaks, reports in fact, in its September 8 edition, a set of 500,000 connection identifiers linked to Fortinet’s VPN was compromised.
Contrary to recurring practices in this environment, the Internet user, who has been identified under the pseudonym “Orange”, and who is presented as the manager of a new hacking forum (“RAMP”), shared this list for free, report our colleagues. No payment in a cryptocurrency is requested. The leak is recent – at least the data was shared recently, on September 7.
“Orange” is said to be a member of a small group called “Groove”. He is said to have been linked to another gang, “Babuk”, which is said to have put an end to its activities – unlike its ransomware (software that takes data hostage and demands a ransom to free it) – at spring. At the beginning of the year, “Babuk” stood out with its so-called ethical charter.
A VPN, or virtual private network, consists in separating the Internet user’s connection from the rest of the Internet traffic, by placing it in an encrypted tunnel. This channel can be used for example to connect to a remote computer, in order to access the resources of his company (in the event of teleworking among others) or to cloud computing services. This tunnel aims to keep any prying eyes away.
VPNs are not only used for professional reasons: they also have a whole component for the general public, in order to be used for all kinds of activities, such as bypassing geographic filtering, by passing the connection elsewhere. The rivalry is so strong in this market that the services lend their VPN all kinds of formidable virtues, sometimes at the risk of exaggerating their merits.
Given the role of VPNs, any leaks about them can take on worrying proportions. This is in particular the case if these tunnels allow access to sensitive elements on the activity of the company or to personal information. In addition to fraudulent access, these accesses can expose to possible even more sophisticated computer attacks.
A leak that also concerns French people
Concerning Fortinet, the incident involves precisely 498,908 individuals across 12,856 devices. Bleeping Computer specifies that it was not able to test and verify these connection credentials, but the site was able to verify that the IP addresses linked to this affair point to Fortinet VPN servers. Several countries are affected, including France, up to 6.15% of the whole, according to an analysis by Advanced Intel.
The circumstances under which these login credentials may have been stolen are unclear, but the trail of a vulnerability in Fortinet’s products and services is very plausible. After all, Fortinet, like any other company, faces challenges. Those that are identified are corrected, but others may be under the radar or be patched late.
In this area, we can recall the report from the French center for monitoring, alerting and responding to computer attacks (CERT-FR), at the end of November 2020, on a flaw in Fortinet FortiOS SSL-VPN, the trace of which dates back to spring 2019. At the time, Fortinet had already published a security advisory correcting the vulnerability, but it appeared that information was already circulating on the net.
” This vulnerability allows unauthenticated attackers to access system files […], in particular giving them access to sensitive information such as user accounts and passwords », Wrote the CERT-FR, which invited to make changes of passwords, to apply the patch and to revoke certificates to have new ones.
He also mentioned in his opinion “ the dissemination on the Internet of a list of potentially vulnerable Fortinet equipment, including equipment belonging to French entities “, Adding” that it seems that accesses to information systems of victims obtained thanks to this vulnerability are already for sale on cybercriminal forums “.
There is nothing to say that the breach mentioned by CERT-FR is in any way related to the affair reported by Bleeping Computer. It is also possible that these 500,000 login credentials are an aggregate of identifiers from previous leaks. In other words, the validity of the username / password pairs is not certain, because precautions have been taken in the meantime.
But being the mother of safety, it is undoubtedly better to prepare for the worst scenario and to consider all these valid accesses. In addition to changing passwords and applying the measures described above by CERT-FR, administrators are also invited to review the connection and activity logs, to detect a possible problem, and to verify the problem. status of the information system.