defenselead.com
Open in
urlscan Pro
162.214.80.21
Public Scan
URL:
https://defenselead.com/thousands-fortinet-vpn-credentials-leaked-hackers/
Submission: On September 12 via api from GB — Scanned from DE
Submission: On September 12 via api from GB — Scanned from DE
Form analysis
4 forms found in the DOMGET https://defenselead.com/
<form role="search" method="get" id="searchform" action="https://defenselead.com/">
<div class="input-group"> <input type="search" class="form-control" placeholder="Search" value="" name="s"> <span class="input-group-btn btn-default"> <button type="submit" class="btn"> <i class="fa fa-search"></i> </button> </span></div>
</form>
<form id="commentform" class="comment-form"> <iframe title="Comment Form"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=178024582&postid=1015&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=1&avatar_default=wp_user_avatar&greeting=Leave+a+Reply&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=dark&lang=en_US&jetpack_version=10.1&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=aa1adfee890c84b89147f9111a1915b8f61561cb#parent=https%3A%2F%2Fdefenselead.com%2Fthousands-fortinet-vpn-credentials-leaked-hackers%2F"
name="jetpack_remote_comment" style="width:100%; height: 430px; border:0;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe> <!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script> <!--<![endif]--><input id="ak_js" name="ak_js" type="hidden" value="1631423451971"><input type="hidden" name="js-spam-prevention" value="656114977357df946200fb9664feec4b">
</form>
POST #
<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-5">
<div id="subscribe-text">
<p>Enter your email address to subscribe to this Newsletter and receive notifications of new posts by email.</p>
</div>
<p id="subscribe-email"> <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-5"> Email Address </label> <input type="email" name="email" required="required" value=""
id="subscribe-field-blog_subscription-5" placeholder="Email Address"></p>
<p id="subscribe-submit"> <input type="hidden" name="action" value="subscribe"> <input type="hidden" name="source" value="https://defenselead.com/thousands-fortinet-vpn-credentials-leaked-hackers/"> <input type="hidden" name="sub-type"
value="widget"> <input type="hidden" name="redirect_fragment" value="blog_subscription-5"> <button type="submit" name="jetpack_subscriptions_widget"> Subscribe </button></p>
</form>
POST /thousands-fortinet-vpn-credentials-leaked-hackers/
<form id="wpforms-form-734" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="734" method="post" enctype="multipart/form-data" action="/thousands-fortinet-vpn-credentials-leaked-hackers/"
data-token="0f5344eaa2afd480ca4e280737e96736" novalidate="novalidate"><noscript class="wpforms-error-noscript">Please enable JavaScript in your browser to complete this form.</noscript>
<div class="wpforms-field-container">
<div id="wpforms-734-field_1-container" class="wpforms-field wpforms-field-name" data-field-id="1"><label class="wpforms-field-label" for="wpforms-734-field_1">Name <span class="wpforms-required-label">*</span></label>
<div class="wpforms-field-row wpforms-field-medium">
<div class="wpforms-field-row-block wpforms-first wpforms-one-half"><input type="text" id="wpforms-734-field_1" class="wpforms-field-name-first wpforms-field-required" name="wpforms[fields][1][first]" required=""><label
for="wpforms-734-field_1" class="wpforms-field-sublabel after ">First</label></div>
<div class="wpforms-field-row-block wpforms-one-half"><input type="text" id="wpforms-734-field_1-last" class="wpforms-field-name-last wpforms-field-required" name="wpforms[fields][1][last]" required=""><label for="wpforms-734-field_1-last"
class="wpforms-field-sublabel after ">Last</label></div>
</div>
</div>
<div id="wpforms-734-field_2-container" class="wpforms-field wpforms-field-email" data-field-id="2"><label class="wpforms-field-label" for="wpforms-734-field_2">Email <span class="wpforms-required-label">*</span></label><input type="email"
id="wpforms-734-field_2" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][2]" required=""></div>
</div>
<div class="wpforms-submit-container"><input type="hidden" name="wpforms[id]" value="734"><input type="hidden" name="wpforms[author]" value="0"><input type="hidden" name="wpforms[post_id]" value="1015"><button type="submit" name="wpforms[submit]"
class="wpforms-submit " id="wpforms-submit-734" value="wpforms-submit" aria-live="assertive" data-alt-text="Sending..." data-submit-text="Submit">Submit</button><noscript><img
src="https://defenselead.com/wp-content/plugins/wpforms-lite/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt=""></noscript><img
src="data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%2026%2026%22%3E%3C/svg%3E" data-src="https://defenselead.com/wp-content/plugins/wpforms-lite/assets/images/submit-spin.svg"
class="lazyload wpforms-submit-spinner" style="display: none;" width="26" height="26" alt=""></div><input type="hidden" name="pum_form_popup_id" value="746">
</form>
Text Content
Skip to content * September 12, 2021 10:40 am DEFENSE LEAD Leader in Cyber Security * * Information Security * Application Security * VAPT * Information Security * Security Awareness * Cyber News * White Papers * About Us * Contact Us Cyber News Exploitation THOUSANDS OF FORTINET VPN CREDENTIALS LEAKED BY HACKERS BYDEFENSE LEAD Sep 11, 2021 Page Visited: 239 Read Time:4 Minute, 22 Second Cybercriminals group “Orange” publicly leaked around 500,000 usernames and passwords of the Fortinet VPN users from as many as 74 different countries. The disclosed credentials are associated with FortiGate SSL-VPN devices and it is estimated that approximately 87,000 devices from all around the world were affected. The attacker can utilize these credentials to allow them to access the network to execute malicious activities such as malware installation, data theft, and Ransomware attacks. The hackers claimed that many VPN credentials are still valid even this exploited Fortinet vulnerability (CVE-2018-13379) is already patched by the company way before. Must Read | Ransomware Attack hits Accenture, Hackers Threaten to Release Data on Dark Web. HACKERS PUBLISHED FORTINET CREDENTIALS FOR FREE ON NEW DARK WEB HACKING FORUM “RAMP”: Hacking group “Orange” leaked the Fortinet usernames and passwords on the recently launched Russian-speaking cybercrime hacking forum “RAMP” and also in a Ransomware gang’s “Groove” data leak site. Leaked Fortinet VPN Credentials Post on RAMP Hacking Forum RAMP is formed when Orange partnered with Groove, after breaking off ties with previous partner “Babuk” ransomware gang that attack Washington D.C. Metropolitan Police Department in May 2021 and demanded a ransom of $4 million USD in exchange for the decryption key. Leaked Fortinet VPN Credentials Post on Groove Website Threat actors also leaked the data on the Groove website when they post the same in RAMP hacking forum. The leaked files were hosted on the same Tor storage server which is utilized by Groove gang to host theft files and perform their ransomware attack operations. The reason behind revealing the huge data set is yet unknown, but cyber security researchers theorized that to promote new business operations, Orange group intentionally disclosed almost 500,000 passwords to draw attention and recruit more threat actors to their gang. Must Read | What is Ransomware Attack? | How Ransomware malware gains access to devices | Mitigation steps to prevent it | Click Here | Ransomware Attack – How to Prevent and Protect? FORTINET RESPONSE ON THE DISCLOSURE OF FORTIGATE SSL-VPN CREDENTIALS: Fortinet, a cybersecurity solutions provider gave an official statement that they are aware of the leaking of their user’s credentials freely on the RAMP hacking forum. They added that these huge login credentials data were stolen when multiple vulnerabilities were unpatched in the Fortinet FortOS against CVE-2018-13379. Here is the Fortinet official blog post on the leaked VPN credentials – Malicious Actor Discloses FortiGate SSL-VPN Credentials. CVE-2018-13379 is related to the Path Traversal Vulnerability in FortiOS SSL VPN web portal that permits cybercriminals to read system and session files that contain usernames and passwords stored in plain text via malicious HTTP resource requests. This vulnerability also emerges as one of the Top most Exploited Flaws in 2020. Though Fortinet already released a security update fix in May 2019 for this security loophole, but they warned if the passwords were not reset, they remain vulnerable to exploitation. > This incident is related to an old vulnerability resolved in May 2019. At that > time, Fortinet issued a PSIRT advisory and communicated directly with > customers. And because customer security is our top priority, Fortinet > subsequently issued multiple corporate blog posts detailing this issue, > strongly encouraging customers to upgrade affected devices. In addition to > advisories, bulletins, and direct communications, these blogs were published > in August 2019, July 2020, April 2021, and again in June 2021. > > Fortinet Official Statement INDIA TOPS IN THE LIST OF LEAKED FORTINET VPN CREDENTIALS: The huge breach data set contains a list of 799 directories which are reported of 498,908 users of top companies related to 87,000 VPN connections devices spanning across over 74 different countries. India tops in the list of the largest share of credentials following next by Taiwan, Italy, France, Mexico Israel, and Brazil. Out of 22,500 victims, 2,959 are US entities based on the location of the IP addresses. Geographic distribution of leaked Fortinet servers RECOMMENDATIONS AND MITIGATIONS STEPS FOR THE LEAKED FORTINET VPN CREDENTIALS: Fortinet company also recommended and suggested mitigation steps to follow on this leaked usernames and passwords of the VPN devices in their official security blog page. They advised the companies to first disable all the VPN connections immediately and upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above for the latest security patch. Also, they strongly recommend performing a forced reset of all user passwords after upgrade as the devices will still be vulnerable post upgrade if their user’s credentials are previously compromised. Below are the Fortinet recommended steps to be followed for the security measures: * Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken. * Immediately upgrade affected devices to the latest available release. * Treat all credentials as potentially compromised by performing an organization-wide password reset. * Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future. * Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks. Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content. * * * * * POST NAVIGATION Active Zero Day Attack on Microsoft Internet Explorer with Office 365 BY DEFENSE LEAD RELATED POST Cyber News Exploitation ACTIVE ZERO DAY ATTACK ON MICROSOFT INTERNET EXPLORER WITH OFFICE 365 Sep 10, 2021 Defense Lead Cyber News Exploitation NETGEAR-CRITICAL AUTHENTICATION BYPASS VULNERABILITY IN THEIR SMART SWITCHES Sep 7, 2021 Defense Lead Cyber News Information Security WIPRO LAUNCHES @NOW STUDIO, A CYBER SECURITY CENTER IN TEXAS Aug 24, 2021 Defense Lead LEAVE A REPLY CANCEL REPLY Video Player https://defenselead.com/wp-content/uploads/2021/08/DefenseLead_Featured_Video.mp4 00:00 00:00 01:19 Use Up/Down Arrow keys to increase or decrease volume. POST YOUR ARTICLES! Readers, want your ideas, articles, Whitepapers and Research papers published on our DefenseLead website? We are inviting you to post your whitepapers, research, case studies, or any wide range of topics and articles related to cyber security on DefenseLead website with your name credited. Make sure that your write-ups should be up to date, high quality, unique content relevant to cyber security with no plagiarism. For the submissions, please contact us on our email address –defenselead.official@gmail.com Or else you can message us on DefenseLead Twitter, Facebook and Linkedin profiles. CYBER NEWS * Cyber News Exploitation THOUSANDS OF FORTINET VPN CREDENTIALS LEAKED BY HACKERS * Cyber News Exploitation ACTIVE ZERO DAY ATTACK ON MICROSOFT INTERNET EXPLORER WITH OFFICE 365 * Cyber News Exploitation NETGEAR-CRITICAL AUTHENTICATION BYPASS VULNERABILITY IN THEIR SMART SWITCHES * Cyber News Information Security WIPRO LAUNCHES @NOW STUDIO, A CYBER SECURITY CENTER IN TEXAS * Cyber News Exploitation Security Awareness COVID-19 IMPACT ON CYBER SECURITY * Cyber News Exploitation HACKERS STEAL $600 MILLION CRYPTOCURRENCY FROM POLY NETWORK * Cyber News RANSOMWARE ATTACK HITS ACCENTURE, HACKERS THREATEN TO RELEASE DATA ON DARK WEB * Cyber News Security Awareness RANSOMWARE ATTACK – HOW TO PREVENT AND PROTECT? * Cyber News Exploitation HACKERS ATTACK KUBERNETES CLUSTER VIA ARGO WORKFLOW TO DEPLOY CRYPTO MINERS * Cyber News APPLE RELEASES SECURITY PATCH FOR ZERO-DAY VULNERABILITY IN IOS 14.7.1, IPADOS 14.7.1, AND MACOS 11.5.1 FOLLOW US ON TWITTER FOLLOW US ON FACEBOOK DefenseLead is a dedicated platform for articles, information, white papers and news about Cyber Security from around the world. Contact us at defenselead.official@gmail.com and follow us on Twitter, Facebook and LinkedIn to read more exclusive contents. SUBSCRIBE TO NEWSLETTER Enter your email address to subscribe to this Newsletter and receive notifications of new posts by email. Email Address Subscribe YOU MISSED Cyber News Exploitation THOUSANDS OF FORTINET VPN CREDENTIALS LEAKED BY HACKERS Sep 11, 2021 Defense Lead Cyber News Exploitation ACTIVE ZERO DAY ATTACK ON MICROSOFT INTERNET EXPLORER WITH OFFICE 365 Sep 10, 2021 Defense Lead Cyber News Exploitation NETGEAR-CRITICAL AUTHENTICATION BYPASS VULNERABILITY IN THEIR SMART SWITCHES Sep 7, 2021 Defense Lead Application Security Vulnerability Assessment COMMON VULNERABILITIES AND RECOMMENDATIONS PART-6 Sep 2, 2021 Defense Lead DEFENSE LEAD Leader in Cyber Security Copyright © 2021 DefenseLead. All Rights Reserved. * Home * About Us * Contact Us * Cyber News * Information Security * Pin Posts * White Papers Subscribe To Defense Lead NewsLetter! Please enable JavaScript in your browser to complete this form. Name * First Last Email * Submit ×