500,000 Fortinet VPN Credentials Got Leaked on Hackers Forum
The list of Fortinet VPN credentials was released by a malicious actor known as “Orange,” who is the administrator of the recently launched RAMP hacking forum and a past leader of the Babuk Ransomware initiative.
Almost 500,000 Fortinet VPN login names and passwords that were scraped in an exploit on multiple devices a year ago.
Orange split off to form RAMP and is now thought to be a representative of the new Groove ransomware campaign. A threat actor recently posted a message on the RAMP forum with a link to a file that allegedly contains thousands of Fortinet VPN accounts.
It appears that RAMP hacking group released this information in order to promote itself. Some of these credentials checked out to be valid.
Action Plan for Fortinet VPN admins
Ensure you change your passwords, Enable 2FA for VPN connection and patch your Fortinet firewall to the latest firmware.
To confirm if your device is on the list, Cypher created a list of IP addresses you can check quickly here: https://gist.github.com/crypto-cypher/f216d6fa4816ffa93c5270b001dc4bdc
Fortinet has addressed this issue when it happened, however some credentials remain valid. Please be sure to take action especially if your IP is on the list.
Cybersecurity is always our concern for our clients. Make sure your IT provider is aware of this leak if you are using Fortinet firewall at your organization.
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity