The hacker released passwords for 500,000 Fortinet VPN accounts

A list of nearly 500,000 usernames and passwords to log in to Fortinet VPNs that were allegedly stolen last summer from vulnerable devices was posted on a hacker forum.

The hacker who published this list states that the exploited vulnerability of Fortinet has since been removed, but that many data are still valid.

This data leak is a serious incident as usernames and passwords could be used to access networks and retrieve data, install malware and attack ransomwarea.

The list of data is free, and it was published by the person behind the pseudonym “Orange”, who is the administrator of the recently launched hacker forum RAMP, and who was involved in the attacks of the Babuk ransomware. After a clash between members of the Babuk gang, Orange separated and set off forum RAMP. He is believed to now be behind Groove’s new ransomware.

This week, Orange posted a link to a file on the forum that allegedly contains data on thousands of Fortinet VPN accounts. At the same time, the same text was published on the Groove ransomware website, which is intended to publish data stolen from victims of ransomware attacks.

Both posts lead to a file on the Tor server, which the Groove group uses to store stolen files that it threatens to publish, putting pressure on victims to pay and prevent a disaster.

Bleeping Computer analyzed the file and found that it contained login information for 498,908 users on 12,856 devices. It is not known if the data is really valid, but it has been confirmed that all verified IP addresses are Fortinet VPN servers.

The vulnerability that the hackers used to steal this data was monitored as CVE-2018-13379.

Sources cited by Bleeping Computer give different answers – some say a lot of the data is valid, while others say most of the login information doesn’t work.

The reason why the hacker did not save this data for himself is probably an attempt to promote the RAMP forum and ransomware Groove as a free service for those who want to get into the ransomware business. Groove is a relatively new ransomware that currently has only one victim listed on a dedicated site. By offering free services and stolen data to other cybercriminals, Orange probably hopes to lure them into a partnership.

Although there is no hard evidence that the data is valid, the recommendation for Fortinet VPN server administrators is to make that assumption and take precautions, which include resetting all user passwords and checking for possible intrusions.

The list of leaked IP addresses was published by researcher Cypher and you can find it here.

Fortinet spoke on this topic and said that the incident was related to a vulnerability that was resolved in May 2019, and that Fortinet at the time of the incident communicated directly with its clients, as well as published several blog posts with details in connection with this incident.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!