- Researcher Bob Diachenko Uncovers “FortiBleed”, Massive Archive of 73,932 Fortinet/FortiGate VPN Credentials from Brute-Force and Exploit Campaigns
- Data included common usernames, emails and passwords for major companies (Chevron, Samsung, Toyota, AT&T, NATO contractor, etc.), with billions of login attempts logged
- Fortinet says the leak is a redistribution of past events and brute-forced data that encourages password rotation and MFA to minimize risk
A database containing tens of thousands of login credentials for major global companies was found online in one of the major data breach incidents this year.
Security researcher Bob Diachenko posted a new report on LinkedIn saying he discovered an archive of Fortinet and FortiGate VPN credentials numbering 73,932 firewall URLs.
“Massive Fortinet/FortiGate bruteforce/active exploitation campaign exposed in action,” he said.
Fortinet responds
Calling the campaign “FortiBleed,” Diachenko said the archive contained usernames, email addresses and passwords (in plain text) for companies such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec and State Grid.
“Thousands of instances of top vendors are listed in the files like this one (see screenshot). This one alone has 21,634 domain names – from Chevron to Fortinet itself. All – with potentially working passwords for the FortiGate appliances obtained by various means.”
Diachenko told BleepingComputer that the archive was created by a Russian-speaking threat actor who harvested credentials for FortiGate SSL VPN instances. After analyzing the database, he concluded that the attackers penetrated and ran more than 1.1 billion authentication attempts against more than 320,000 FortiGate instances, as well as 2.1 billion attempts against 160,600+ Microsoft SQL Server systems.
Furthermore, they also captured SSL VPN authentication hashes, which they later cracked and used to log into Active Directory environments.
Several organizations around the world were “completely compromised”, Dianchenko also said, stressing that a Turkish NATO defense contractor was among them. This organization reportedly lost classified documents thanks to this breach.
Several security outfits confirmed the leak’s authenticity, including Hudson Rock and security researcher Kevin Beaumont.
Fortinet told the publication that the database is not from a new breach, but rather a collection of secrets stolen in previous incidents.
“Based on our analysis, the data involved is a redistribution of data from previous incidents, as well as credential brute-forcing, and is not related to any recent incident or advisory. Organizations that follow routine best practices, including regularly refreshing security credentials, as per guidance in this blog in March, face minimal risk from credentials in the compromise detail,” Fortinet said in the compromise detail. Still, it wouldn’t hurt to rotate any Fortinet VPN passwords and set up MFA where possible and missing.
“Fortinet continues to investigate these reports with our customers’ safety as our highest priority.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
