Passwords nicked for nearly 74,000 Fortinet devices

Tens of thousands of Fortinet devices may have leaked credentials after a sophisticated automated brute force campaign that has security researchers calling for affected companies to reset their passwords now.

Threat intelligence company Hudson Rock posted a blog detailing what it's named Fortibleed, saying 73,932 firewall devices had seen credentials leaked, impacting a long list of organisations – if yours is on the list, change your passwords now.

In a statement sent to ITPRO, Fortinet disputed the details, saying this wasn't the result of a fresh hack and that anyone following best practices was already safe. "Fortinet is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways. We are committed to safeguarding our customers, and we diligently and continuously monitor threat actor darknet activity. Based on our initial analysis, the data involved is likely a resharing of data from previous incidents, as well as brute forcing of credentials, and not related to any current incident or advisory."

Hudson Rock argued the incident isn't that simple – and claimed it's impacting a huge number of companies.

Latest Videos From

Watch full video here:

"The group's methodology goes beyond simple credential reuse," the blog post notes. "They actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis. Once the perimeter is breached, the operators systematically pivot directly into internal Active Directory environments to establish deep network persistence."

The techniques aside, it's the size of the incident that's worrying, Hudson Rock said. "The scale of this breach touches nearly every sector of the global economy, sparing no industry," the blog post added. "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet."

What's happening?

The reporting on this incident started with a post by security researcher Volodymyr Diachenko, who spotted the mass exploitation in action last week, noting tens of thousands of companies' names were listed.

"Crooks use sophisticated hashcracking approach to get then plaintext passwords from the Fortigate configs and use them consequently in the internal network movement and takeover," he said at the time.

Another security researcher, Kevin Beaumont, then examined the incident. He said the data appeared to be legitimate and that 75,000 devices were impacted, with most still online and the majority from Fortinet. Beaumont said he had worked with some of the companies and could confirm the data.

"The data comprises of roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan," he noted.

The data could allow attackers to log in remotely and access the firewall and network it was protecting, Beaumont said. "They can also change settings, including security controls, and make backdoor users," he wrote.

What can companies do?

Fortinet said its customers following best practices and recent advice should be safe. "Organizations that follow routine best practices, including regularly rotating security credentials and enabling multi-factor authentication, as per guidance in this March blog, face minimal risk from credential compromise detail referenced in the reporting."

Beaumont advised companies to check if they were affected via the Hudson Rock list, and if so, immediately rotate all admin credentials, looking at prior logins for suspicious activity. But he said to "assume compromise" as it's unclear how long the data seen has been in circulation.

If found to be compromised, the entire device may need to be replaced as settings may have been altered allowing for a backdoor to be installed, Beaumont added. Devices should be upgraded to the latest FortiOS version, and admins should login to change passwords. Generally, he advised the FortiOS management interface to not be exposed to the internet unless strictly necessary, and to implement multi-factor authentication.

Hudson Rock echoed that advice, adding that companies should monitor for stolen credentials to spot them before they're weaponised against your network.

Hudson Rock added that one "alarming detail" from the breach was how many complex passwords were successfully compromised, noting that IT departments lean on rigid password rules in a bid for protection. "However, complexity is completely neutralized when passwords are recovered in plaintext," the company noted.

Hudson Rock added: "This massive incident serves as a glaring reminder that exposed network gateways combined with reused or stolen credentials are an attacker's dream."