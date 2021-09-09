In a major data leak, names and passwords of around 5 lakh users of Fortinet VPN have been leaked on the internet. It is estimated that the list contains data leaked from over 12,856 devices from all around the world.

The Fortinet credentials have been leaked for free by a threat actor known as 'Orange.' As noted by BleepingComputer in a report, Orange is the administrator of the newly launched RAMP hacking forum and has been involved with the Babuk Ransomware operation in the past.

In the post sharing the link of the leaked credentials, Orange claims that the credentials were scraped by exploiting Fortinet vulnerability. The security loophole has since been patched but the leaked VPN credentials with usernames and passwords are still being used.

The file containing the leaked credentials is currently hosted on a Tor storage server. Having analysed it, BleepingComputer confirms that the file contains VPN credentials for 498,908 users and that all of the IP addresses checked were Fortinet VPN servers. Advanced Intel further ascertains that it has been collected from users worldwide. Around 3,000 devices were found to be located in the USA.

Since it is a huge data set and it has been leaked for free, intentions of the hackers are yet unknown. Though Advanced Intel CTO Vitali Kremez guesses that the leaked data was published publicly to promote the RAMP hacking forum by offering a "freebie" for participants.

Kremez further mentioned to BleepingComputer that the hackers exploited Fortinet CVE-2018-13379 vulnerability to gain access to the user credentials. Another source confirmed that at least some of the leaked credentials are valid, as it was able to verify it legally.

Other than the RAMP ransomware forum, the threat actor Orange is also believed to be a representative of the new Groove ransomware operation, which currently mentions one victim on its data leak site. The post with the leaked data from Fortinet was also seen on Groove ransomware's data leak site. By listing the free data, the operation might be looking to recruit more threat actors to their system.

The data leak is serious as it can allow hackers to access a network to extract data, install malware or perform ransomware attacks. Fortinet users are thus advised to install the latest patch for the service and perform a forced reset of all user passwords. They should also check their logs for possible intrusions.