CISA warns Fortinet users to secure devices after FortiBleed leak
Source: Bleeping Computer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”
This warning comes after threat actors used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide.
“CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” it said. “This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”
The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement.
CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible.
Credentials for over 73K firewalls exposed
The FortiBleed data leak was uncovered by security researcher Volodymyr “Bob” Diachenko, who discovered a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords for 73,932 firewall URLs worldwide.
The exposed data also includes each organization’s industry, revenue, and employee count, which Diachenko said appeared to be compiled to assist in planning future attacks.
Threat intelligence company Hudson Rock, which also analyzed the dataset, described it as one of the largest known collections of compromised Fortinet credentials, spanning 21,632 unique domains and 194 countries.
Among the organizations represented in the dataset are Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, along with many government agencies and critical infrastructure operators across telecommunications, healthcare, financial services, and manufacturing industry sectors.
The highest number of affected devices were from India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.
Fortinet credentials found on an exposed server (Volodymyr Diachenko)
Data leak linked to Russian-speaking threat group
Diachenko also said the operation was conducted by a Russian-speaking threat group that allegedly carried out approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes. The source of the configuration data remains unknown.
Cybersecurity expert Kevin Beaumont has also independently confirmed the authenticity of some credentials and noted that most affected devices remain online.
“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont said, adding that the leaked data appears to have originated from Fortinet configuration files.
However, the source of the data remains unknown, and it is unclear whether it was stolen through exploitation of previously disclosed Fortinet vulnerabilities, a newly discovered security flaw, or another method.
Hudson Rock has also created a free FortiBleed lookup tool to help organizations check whether they are affected.
On Monday, threat intelligence company Defused also reported that several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now exploited in attacks. In total, CISA tracks 26 Fortinet security flaws that have been exploited in the wild in recent years, 13 of which were abused in ransomware attacks.
[Test every layer before attackers do](https://hubs.li/Q04jQ9z40)
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
[Get the whitepaper](https://hubs.li/Q04jQ9z40)