Skip to main content
close search
site logo
Dive Brief

Fortinet credential drop linked to fissure in ransomware group

Published Sept. 10, 2021
David Jones's headshot
Reporter
Joe Raedle via Getty Images

Dive Brief:

  • The leak of tens of thousands of Fortinet VPN credentials earlier this week may signal the emergence of a new ransomware syndicate that split off from the Babuk ransomware group.
  • A malicious actor dumped the credentials for almost 87,000 FortiGate SSL-VPN devices that originally relate to an old vulnerability resolved in May 2019, according to a blog from Fortinet posted Wednesday.
  • The actor behind the dump is a former operator at Babuk and a current representative of Groove ransomware, according to researchers at AdvIntel. The actor is also seen as the creator of RAMP, an underground ransomware forum.

Dive Insight:

The stolen Fortinet credentials came from systems that were unpatched against FG-IR-18-384/CVE-2018-13379, according to Fortinet. The vulnerabilities have since been patched, but the company said if passwords have not yet been reset, they are still vulnerable to being accessed.

Fortinet issued a bulletin in November 2019 about the path traversal vulnerability in the FortiOS SSL VPN web portal that could allow unauthenticated outside attackers to download FortiOS system files. Additional bulletins were issued, warning of attacks by various actors, including APT29, or Cozy Bear. The FBI and the Cybersecurity and Infrastructure Security Agency posted a joint advisory related to these same vulnerabilities in April.

Fortinet is urging customers to implement a patch upgrade, according to a spokesperson. The company also reminded customers they need to treat all passwords as compromised, do an organization-wide reset and implement multifactor authentication.

The list on the Groove ransomware data leak site contained 799 directories and 86,941 purportedly compromised VPN credentials, indicating a direct correlation between the event and the Groove ransomware operations, according to Anastasia Sentsova, cybercrime intelligence analyst at AdvIntel.

"While the reason for the leak is still under investigation, we might assume that the Fortinet credentials were used to promote the Groove ransomware and attract new affiliates," Sentsova said via email.

The breakup of the Babuk operation from its affiliates may have been related to the ransomware attack against the Metropolitan Police Department in Washington D.C., according to the AdvIntel blog, which cited claims from the threat actor that researchers say operates under the name "Songbird."

The Groove ransomware group has leaked data posted against one direct victim, a German manufacturing company whose information was posted on Aug. 27, according to AdvIntel.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell