- The leak of tens of thousands of Fortinet VPN credentials earlier this week may signal the emergence of a new ransomware syndicate that split off from the Babuk ransomware group.
- A malicious actor dumped the credentials for almost 87,000 FortiGate SSL-VPN devices that originally relate to an old vulnerability resolved in May 2019, according to a blog from Fortinet posted Wednesday.
- The actor behind the dump is a former operator at Babuk and a current representative of Groove ransomware, according to researchers at AdvIntel. The actor is also seen as the creator of RAMP, an underground ransomware forum.
The stolen Fortinet credentials came from systems that were unpatched against FG-IR-18-384/CVE-2018-13379, according to Fortinet. The vulnerabilities have since been patched, but the company said if passwords have not yet been reset, they are still vulnerable to being accessed.
Fortinet issued a bulletin in November 2019 about the path traversal vulnerability in the FortiOS SSL VPN web portal that could allow unauthenticated outside attackers to download FortiOS system files. Additional bulletins were issued, warning of attacks by various actors, including APT29, or Cozy Bear. The FBI and the Cybersecurity and Infrastructure Security Agency posted a joint advisory related to these same vulnerabilities in April.
Fortinet is urging customers to implement a patch upgrade, according to a spokesperson. The company also reminded customers they need to treat all passwords as compromised, do an organization-wide reset and implement multifactor authentication.
The list on the Groove ransomware data leak site contained 799 directories and 86,941 purportedly compromised VPN credentials, indicating a direct correlation between the event and the Groove ransomware operations, according to Anastasia Sentsova, cybercrime intelligence analyst at AdvIntel.
"While the reason for the leak is still under investigation, we might assume that the Fortinet credentials were used to promote the Groove ransomware and attract new affiliates," Sentsova said via email.
The breakup of the Babuk operation from its affiliates may have been related to the ransomware attack against the Metropolitan Police Department in Washington D.C., according to the AdvIntel blog, which cited claims from the threat actor that researchers say operates under the name "Songbird."
The Groove ransomware group has leaked data posted against one direct victim, a German manufacturing company whose information was posted on Aug. 27, according to AdvIntel.