Victim list of Fortinet VPNs leaked to ransomware sites

Community Feature - @CryptoCypher

Curated Intelligence's founder - CryptoCypher - recently analysed and shared the Fortinet VPN victim list from a recent leak of credentials for more than 87,000 FortiGate SSL-VPN devices. The list includes the IP addresses for the affected Fortinet SSL-VPN devices shared as part of the smaller sample leaked to an underground cybercriminal forum. The list is available on GitHub, stripped of any credentials, which would allow Fortinet device owners to test if their systems were included on this leak.

The list of leaked credentials was first made available on the Ransom Anon Market Place (RAMP). The list of credentials were gathered using an old vulnerability, tracked as CVE-2018-13379. Even though patches have been made available for years, it appears many organisations still did not update their systems - despite multiple advisories from Fortinet and CERTs.

The list of credentials were later shared to the newly created Groove ransomware darknet leak site. The threat actor responsible is the administrator the RAMP hacking forum and was a previous operator Babuk ransomware. Because RAMP is a closed and vetted forum, the list of Fortinet SSL-VPN credentials were likely leaked semi-publicly in order to attract other ransomware gangs to the forum. 

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!