cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Cyber criminals leak stolen Fortinet data online

Threat actors have released credentials of Fortinet VPN users online, which are thought to enable other cyber criminals to gain remote access to the networks behind the VPN.

user iconReporter
Mon, 13 Sep 2021
Cyber criminals leak stolen Fortinet data online
expand image

A malicious actor has released the user credentials and IP addresses linked to the Fortinet SSL VPN to an internet hacking forum.

It was revealed late last week that the passwords for an estimated 500,000 Fortinet VPN accounts were leaked onto the hacking forum RAMP.

Media outlets have reported that the website’s administrator, operating under the nom de plume ‘Orange’, was formerly associated with the Babuk cyber gang.


Fortinet confirmed that it is aware of the hack, which was achieved by taking the credentials from unpatched files.

“Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices," a blog post on the company's website read.

"These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.

“This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021.”

The Australian Cyber Security Centre recommends that any organisations that use Fortinet VPNs install updated patches, as well as undertaking basic password precaution such as updating their passwords.

“The ACSC recommends organisations review their patching history to identify possible periods of exposure to CVE-2018-13379 and other relevant Fortinet vulnerabilities, including CVE-2020-12812 and CVE-2019-5591," the ACSC outlined.

Organisations should also review the linked Fortinet security advisories for the list of specific Fortinet products affected by these vulnerabilities as well as vendor recommended mitigations, if devices are still vulnerable.”

A spokesperson for the company issued the following comment.

"The security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019," the statement read.

"Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in August 2019, July 2020, April 2021 and June 2021. For more information, please refer to our latest blog and PSIRT advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible."

[Related: ACSC issues new Microsoft Exchange alert]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.