Massive attack on Fortinet firewalls? 74,000 devices affected by FortiBleed

Firewalls and VPN gateways are a lucrative target for attacks – after all, they guard the entrance to corporate networks. A security researcher has now, according to their statements, uncovered a large-scale attack campaign against devices from the manufacturer Fortinet – around 74,000 are said to have been compromised.

It is unclear who is behind the attack, but discoverer Volodymyr Diachenko mentions a “Russian-speaking cybercrime group with several members.” This group initially tried mass login credentials – for example, from previous data leaks – on Fortinet devices, a total of 1.16 billion username and password combinations.

The number of devices attacked via “FortiBleed” is also astronomical: there were 320,000. Half of all Fortinet devices accessible via the internet. Of these, criminals successfully obtained login credentials for 73,932 Fortinet appliances worldwide, Diachenko explains. The figures cannot be independently verified. In the majority of cases, the management interfaces were likely accessible from the internet.

However, how the attackers gained access to the devices remains unclear. Security expert Kevin Beaumont suspects they might have used a previously unknown security vulnerability to gain access. They then extracted the device configuration and cracked the password hashes contained within using a specialized cluster with 48 GPUs and a brute-force attack. In older versions of Fortinet firmware, passwords are hashed with SHA256 with Salt, which can be attacked much more efficiently using tools like hashcat compared to the PBKDF2 variant with a random hash, common from FortiOS 7.2.11 onwards.

Meanwhile, a Fortinet spokesperson told TechCrunch that the company was aware of a credential theft campaign targeting Fortinet firewalls and VPNs. According to the manufacturer's analyses, the data consists of information from previous incidents as well as credentials cracked via brute force. They are not related to recent incidents or security advisories. Kevin Beaumont’s has seen the data and his assessment differs: „The IP addresses are largely different to the Belsen Group leak, which was 15k devices. It includes mostly devices not in the Belsen Group leak, and in this case most of the devices are still online — this isn’t data from 2022.“

German devices also affected

Among the affected devices are about 120 whose domain suggests a location in Germany, including various devices in the Telekom network or at Mercedes-Benz. The threat intelligence company Hudson Rock provided us with a list of affected de-domains and has set up an information page with a query option.

Affected parties should reset all credentials on compromised devices with secure passwords, check for suspicious access to downstream networks, and enforce multi-factor authentication, for example, for VPN logins. Since it is not even clear at this time whether the attacks occurred via an existing security vulnerability in FortiOS, there are no patches, and a statement from Fortinet's security team is also pending.

Because Fortinet devices provide access to networks, they are a popular target for attackers. On Wednesday, for example, attacks on FortiSandbox became known.

(cku)