‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worse

Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk

Plaque pictured at the Foreign, Commonwealth and Development Office building in Whitehall, London.
(Image credit: Getty Images)

Cybersecurity experts have issued an alert amid reports that hackers accessed login credentials belonging to UK government officials and Foreign Office staff.

The credentials, which are reportedly being sold on the dark web, were exposed as part of the ongoing FortiBleed attack campaign.

FortiBleed targets internet-facing Fortinet VPN and firewalls, and is believed to have affected more than 70,000 devices spanning 194 countries since it was first uncovered last month.

Analysis from SOCRadar, for example, identified a vast database containing login credentials. The threat intelligence firm has since attributed FortiBleed to the Lynx/INC ransomware group.

Latest Videos From

While this database was believed to have been limited to basic usernames and passwords, reports from The Telegraph suggest some exposed details include privileged Fortinet credentials.

Volodymyr Diachenko, a security researcher who first uncovered the threat campaign, told the publication these credentials could give bad actors access to the Foreign Office’s “core networks” along with other government departments.

Some Foreign Office credentials are now being sold on the dark web, according to reports, going for up to £40,000.

Arctic Wolf CISO Adam Marrè warned that the incident could create a domino effect, impacting other government departments and also local authorities and public services.

According to The Telegraph, credentials at NHS trusts, energy companies, and local councils were also hosted in the illicit database.

“This major breach of email accounts of UK government officials and overseas Foreign Office workers is the latest development in the ongoing FortiBleed attack,” he said.

“While it may be tempting to think this is a simple credential-stuffing operation, our threat team found the threat actors have built a highly sophisticated and repeatable credential factory,” he said.

Marrè noted that analysis of the incident conducted by Arctic Wolf shows threat actors appear to have been using automated tools to harvest logins and target gateways at “exponential speed and volume”.

“This means while today it’s the Foreign Office which has been affected, the risk to every organization has increased exponentially.”

Back and forth on FortiBleed

The discovery of the FortiBleed sparked somewhat of a back and forth between Fortinet and security researchers last month. After threat intelligence firm Hudson Rock published a blog detailing the campaign, Fortinet disputed some of its claims.

Fortinet told ITPro at the time that the exposed credentials weren’t the result of a fresh breach, insisting that those following best practices were safe from exposure.

"Fortinet is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways. We are committed to safeguarding our customers, and we diligently and continuously monitor threat actor darknet activity,” a spokesperson for the company said.

“Based on our initial analysis, the data involved is likely a resharing of data from previous incidents, as well as brute forcing of credentials, and not related to any current incident or advisory."

Hudson Rock, meanwhile, said the campaign went “beyond simply credential reuse,” highlighting that hundreds of organizations are thought to have been affected.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.