500,000 Fortinet VPN Credentials Got Leaked on Hackers Forum

The list of Fortinet VPN credentials was released by a malicious actor known as “Orange,” who is the administrator of the recently launched RAMP hacking forum and a past leader of the Babuk Ransomware initiative.

Almost 500,000 Fortinet VPN login names and passwords that were scraped in an exploit on multiple devices a year ago.

Orange split off to form RAMP and is now thought to be a representative of the new Groove ransomware campaign. A threat actor recently posted a message on the RAMP forum with a link to a file that allegedly contains thousands of Fortinet VPN accounts.

It appears that RAMP hacking group released this information in order to promote itself. Some of these credentials checked out to be valid.

Action Plan for Fortinet VPN admins

Ensure you change your passwords, Enable 2FA for VPN connection and patch your Fortinet firewall to the latest firmware.

To confirm if your device is on the list, Cypher  created a list of IP addresses you can check quickly here: https://gist.github.com/crypto-cypher/f216d6fa4816ffa93c5270b001dc4bdc

Fortinet has addressed this issue when it happened, however some credentials remain valid. Please be sure to take action especially if your IP is on the list.

Cybersecurity is always our concern for our clients.  Make sure your IT provider is aware of this leak if you are using Fortinet firewall at your organization.