A cybercriminal has released credentials associated with almost half a million Fortinet VPN accounts online.
The account information was supposedly scraped from Fortinet devices, by exploiting a security vulnerability that first came to light in April. Although months have elapsed since a patch was released, many of the credentials remain current, the hacker claims.
The data was made public by a threat actor known as Orange, who has a previous affiliation with the Babuk ransomware operation.
TechRadar Pro has asked Fortinet to verify the authenticity of the data, but has not yet received a response.
Fortinet VPN leak
A link to the data was posted to a new underground forum called Ramp, which Orange now administrates. Commentators have suggested the release of Fortinet VPN account details was a promotional stunt designed to attract new members.
“We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a ‘freebie’ for wannabe ransomware operators,” Vitali Kremez, VTO at Advanced Intel, told Bleeping Computer.
The VPN credentials are hosted on a Tor storage server linked with ransomware group Groove, which was launched only recently. The group has only one known victim to date, but may be looking to use the disclosure as a launchpad for its ransomware-as-a-service operation.
While data breaches of all kinds should be taken seriously, the compromise of VPN accounts is particularly concerning, due to the opportunity for attackers to access secure networks, from which position they could inject malware or exfiltrate sensitive data.
Although the authenticity of the Fortinet VPN credentials has not yet been confirmed, administrators are still advised to take precautionary steps, such as asking users to reset their passwords and checking closely for signs of infiltration.
