Hackers publish passwords for nearly 500,000 Fortinet VPN accounts

A group of hackers has published a list of the credentials of nearly 500,000 Fortinet VPN accounts. They would have been scraped from vulnerable devices last year. Although the vulnerability has since been patched, many credentials are still believed to be valid.

A threat actor called Orange has published the credentials for free on a hacker forum, BleepingComputer confirms. This data allows users to access the victims’ networks. The file is hosted on a Tor storage server that is also used by the Groove ransomware group to hold stolen files.

According to BleepingComputer, the list contains the credentials of 498,908 users, which come from 12,856 Fortinet devices. BleepingComputer writes that it has not tried all the credentials, but does confirm that it has checked several IP addresses from the list. The verified addresses are all from Fortinet VPN servers. It is not known who the stolen credentials belong to.

Kremez of Advanced Intelligence told BleepingComputer that the data was stolen via a vulnerability in Fortinet’s FortiOS SSL VPN, which applied to FortiOS 6.0.0 to 6.0.4, FortiOS 5.6.3 to 5.6.7, and FortiOS 5.4. 6 to 5.4.12. It contains a vulnerability, CVE-2018-13379, that allows attackers to access the VPN via a homemade http header. Last year, 50,000 login details of companies with a Fortinet VPN were leaked, which were stolen via the same vulnerability.

This vulnerability has been closed since May 2019, although VPN servers can still be vulnerable if the owner has not implemented the patch. Patched servers can also remain vulnerable if users do not change their VPN passwords. Fortinet recommends server admins reset the login credentials of all users as a precaution if they have ever run a vulnerable FortiOS version.

Forum posts referencing the list of Fortinet vpn credentials