A malicious operator has leaked an extensive list containing close to 500,000 password and login names for the Fortinet virtual private network (VPN). The disclosed credentials were allegedly obtained during last summer, scraped from vulnerable user devices.

The cybercriminal responsible for the leak has commented that while the Fortinet vulnerability has now been patched, the numerous VPN credentials exposed remain valid.

This dangerous data leak is an incident of some severity as the dedicated VPN credentials could potentially enable threat operators to access a network and perform numerous nefarious tasks like data exfiltration, malware installation, and the execution of ransomware attacks.

VPN credentials leaked on forum for free

The document listing close to half a million different Fortinet password-username combinations was leaked entirely for free by a hacker using the handle ‘Orange.’ The threat actor currently holds the position of administrator on the recently launched hacking forum known as RAMP and is also a ransomware operator known to have previously worked with the notorious Babuk group.

Following disputes between gang members within the Babuk outfit, the actor known as Orange exited the operation to form the RAMP forum and is currently believed to be active as a representative of a new ransomware operation called Groove.

Orange recently created a post on RAMP’s forum that included a link to a data file that allegedly contained thousands of dedicated Fortinet VPN accounts.

Simultaneously, another post was made on Groove ransomware’s official data leak site, with content promoting the recent exposure of the Fortinet credentials.

Both of these posts direct users to a file hosted on a storage server employed by the Groove ransomware gang, where it hosts stolen files that are being leaked to put pressure on ransomware victims to make payments.

Expert file analysis by computer help site BleepingComputer has revealed that the data file stored on the Tor server contains a total of 498,908 VPN user credentials from 12,856 different devices. While the legitimacy of the passwords and login names was not examined, all of the IP addresses present were verified as being Fortinet VPN servers.

How the leaked Fortinet servers are distributed

Chief Technical Officer (CTO) for Advanced Intel and renowned ethical hacker Kremez has commented that the recently patched Fortinet vulnerability tracked as CVE-2018-13379 was exploited by hackers to steal the leaked credentials.

At present, it is not known why Orange decided to release the login details on the forum instead of using them in a ransomware scheme, but it is believed that the move was designed to promote Groove as a ransomware-as-a-service solution and increase the respect and reputation of RAMP among the hacker community.

Kremez commented:

“We believe with high confidence the VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a “freebie” for wannabe ransomware operators.”

Further analysis carried out by cybersecurity researchers at Advanced Intel showed that the IP addresses are for devices located all over the world. Just under 2% of the victims were based in the UK, with India, Taiwan and Italy being the most heavily hit areas.