The UK’s National Cyber Security Centre (NCSC) has released guidance for Fortinet customers impacted by a global credential theft campaign.
A database of around 75,000 credentials stolen from FortiGate firewall and SSL VPN customers was discovered by security researchers last week. Dubbed “FortiBleed,” it features usernames, email addresses and plaintext passwords for organizations including Oracle, Spotify, Toyota and AT&T.
It is understood that credentials on around half of all internet-accessible Fortinet firewalls may have been exposed in this way.
According to Hudson Rock, a firm specialized in infostealer malware, the exposed logins impact customers in 194 countries and are linked to over 21,000 unique domains.
Read more on data leaks: Exclusive: Massive IoT Data Breach Exposes 2.7 Billion Records.
It’s unclear exactly how the targeted devices were originally accessed – potentially by exploiting legacy vulnerabilities in the products, or a novel zero day.
However, it seems that the threat actors first stole configuration data and then brute-forced the passwords contained within.
The NCSC cited “brute-force, dictionary and credential stuffing attempts.”
Reports suggest many organizations have already suffered full network compromise as a result, and any organization featured in the database is at risk.
The leaked information “is formatted in a way which looks like an eCrime gang – e.g. it lists the type of company, their revenue and country,” said cybersecurity researcher, Kevin Beaumont.
“The operation’s footprint is staggering: the attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers,” added Hudson Rock.
NCSC Guidance
The NCSC urged Fortinet customers to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools to see if their devices have been affected,and then to look for indicators of compromise (IoCs) such as unauthorized account creation, or unexpected activity in log files.
It then advised impacted organizations to:
- Isolate compromised devices from the internet and internal networks
- Report the incident to the government and consider using an assured incident response provider
- Obtain logs, configs and other artefacts from the device then factory reset it
- Investigate other edge devices that share credentials with the compromised device
- Investigate devices reachable by the compromised device and monitor firewall logs for suspicious activity to ensure no onward compromise has occurred
- Harden the re-commissioned system by ensuring it’s on the latest version, has strong, unique admin passwords and multi-factor authentication (MFA) applied, and is not exposed to the internet. Users should also enable PBKDF2 for the admin interface
