Credential Exposure Impacts Thousands of Fortinet Devices Worldwide: Emerging Threat Published on Risk Ledger

Summary

A large dataset containing credentials and configuration information associated with approximately 73,000 Fortinet VPN and firewall devices has been publicly disclosed. While this does not appear to be linked to a newly discovered Fortinet vulnerability, the exposed data could provide threat actors with access to organisations using these devices.
‍

Threat Description

Researchers have identified a large repository containing credentials and configuration information linked to approximately 73,000 Fortinet devices worldwide. This dataset was collected through a campaign conducted by threat actors to obtain these credentials; these were later discovered by security researcher, Bob Diachenko.

The exposed data reportedly includes usernames, passwords, VPN configuration details, and other device information that could enable attackers to gain unauthorised access to affected environments. Organisations whose devices have internet-facing management interfaces and credentials included in the leaked dataset may be at risk of compromise and should take immediate action to determine whether there is any evidence of unauthorised access.
‍

Applicability

This threat affects any organisation using Fortinet firewalls or VPN gateways where associated credentials are present within the leaked dataset. Organisations can check for their domain names using this FortiBleed lookup tool.
‍

Relevance to the supply chain

Fortinet firewalls and VPN gateways are widely used by organisations across the globe. Given the scale of this credential exposure, devices where credentials have not been regularly rotated may be at increased risk of compromise. A successful attack against a supplier could disrupt the services that support your critical business functions. Depending on the nature of your relationship, there is also a risk that threat actors could exploit trusted connections between organisations to move through the supply chain and gain access to downstream customers or partners.
‍

What should you do about it

Use Hudson Rock’s FortiBleed Checker to determine whether any of your Fortinet firewall or VPN devices have been exposed.

The NCSC has published an article that provides guidance for organisations to follow to investigate their exposure and perform remediation actions as needed. These steps include:

• Using the FortiBleed Checker to look up your domains that map to leaked credentials and confirm if the asset belongs to you.
• Review exposed credentials and ensure they are not reused across other devices, systems, or services..
• Investigate for any potentially malicious activity within your enterprise network.
• Remove and isolate affected devices where evidence of compromise exists and initiate incident response procedures.
• If credentials were exposed, rotate those username and password combinations and perform a factory reset on any applicable devices.
• Ensure devices have been appropriately hardened before being returned to service, including verifying that management interfaces are not exposed to the internet and that multi-factor authentication is enforced for all management access.
  ‍

Where to find more information

NCSC guidance on this incident, containing additional details on steps to investigate for potential compromise: https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways

Hudson Rock’s FortiBleed Checker: https://www.hudsonrock.com/fortinet

Bleeping Computer article providing additional context and information from the security researcher who discovered the dataset: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposaes-fortinet-vpn-credentials-for-73-000-devices/

‍