Andisearch Writeup

A threat actor known as “Orange” has leaked nearly 500,000 Fortinet VPN login names and passwords, a move that has sent ripples through the cybersecurity community. These credentials were allegedly scraped from vulnerable FortiGate SSL-VPN devices, exploiting a known vulnerability, CVE-2018-13379, which had been patched since May 2019. Despite the availability of patches, many systems remained unpatched, leaving them susceptible to this breach.

The leaked credentials were posted for free on the RAMP hacking forum, a platform managed by Orange, who was previously associated with the Babuk Ransomware operation. This leak is believed to be a promotional tactic for the RAMP forum and the Groove ransomware operation, aiming to attract other cybercriminals by offering a “freebie”.

The breach has affected organizations across 74 countries, with a significant number of compromised devices located in the USA. The leaked data includes VPN credentials for 498,908 users over 12,856 devices. While some sources confirm the validity of these credentials, others provide mixed reports, indicating that not all credentials may be functional.

Fortinet has acknowledged the breach, emphasizing the importance of patching and resetting passwords to mitigate the risk. They have urged affected users to upgrade their devices to the latest FortiOS versions and perform an organization-wide password reset. The incident underscores the critical need for timely patching and robust security practices to protect against such vulnerabilities.