Fortinet breach exposes credentials for thousands of networks
Researchers say attackers compromised nearly 74,000 Fortinet devices and exposed plaintext credentials tied to major companies and agencies.
By James Whitfield · Staff Writer
3 min read
Researchers say Russian-speaking attackers compromised nearly 74,000 Fortinet devices and exposed plaintext credentials for organizations across 194 countries. The finding matters because the affected firewalls sit at network edges and can give intruders access to internal systems used by major companies, government bodies and infrastructure providers.
Bob Diachenko, a security researcher who heads SecurityDiscovery.com, said he found the data after accessing the attackers’ command-and-control server and related infrastructure. Diachenko said the records covered devices from more than 21,000 IP addresses and included organization details such as industry, revenue and employee count.
The exposed data included organizations such as Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor and Fortinet, according to Diachenko and researchers who reviewed the material. Hudson Rock, a security firm that analyzed the data, said other entries included Foxconn, Samsung, Comcast, Siemens, PwC and Accenture, along with major government agencies and critical infrastructure providers.
Researchers warn credentials are still usable
Independent security researcher Kevin Beaumont said “almost all” of the affected devices remained online as of Wednesday morning. Beaumont also said he confirmed with multiple organizations listed in the attackers’ logs that the credentials were real and current.
Beaumont said the exposed devices amount to about half of all Internet-facing Fortinet firewalls, based on Shodan polling. In many cases, he said, attackers used access to the firewalls to reach centralized authentication systems, including Radius servers and Microsoft Active Directory.
Hudson Rock said the breach touched nearly every sector of the global economy and called the attackers’ dataset a verified collection of working credentials for large enterprises. The firm identified India, the United States, Taiwan, Mexico, Turkey and Thailand as the countries with the most compromised devices.
The top affected sectors, according to Hudson Rock, included IT services, construction materials, telecommunications, construction and engineering, industrial equipment and financial services.
How the operation worked
Diachenko said the criminally motivated group scanned the Internet for FortiGate remote login endpoints. He said the attackers then used a custom tool running 25,000 threads to test large numbers of username and password combinations against hundreds of thousands of endpoints.
Hudson Rock said the attackers also intercepted SSL VPN authentication hashes and cracked them with a dedicated 45-GPU cluster managed through Hashtopolis. The firm said the recovered passwords helped the group move laterally into Active Directory environments and other centralized authentication systems.
Hudson Rock said Diachenko’s research found full network compromises at organizations in Japan, Taiwan, Vietnam, Iraq and Turkey. The firm said one Turkish NATO defense contractor had classified defense documents taken by the group.
Diachenko said the attackers used a feedback-based, 12-level recursive cracking system that refined password guesses after each success. He described the technique as innovative, while also saying the group left artifacts on its own server that exposed its activity.
Diachenko, Beaumont and Hudson Rock urged Fortinet users to check their networks immediately for signs of compromise. Hudson Rock has published a search tool for affected domains at hudsonrock.com/fortinet.
This story draws on original reporting from Ars Technica.