The UK’s National Cyber Security Centre (NCSC) has recently issued important guidance to customers of Fortinet amidst a concerning global campaign targeting credential theft. This campaign has raised alarms in the cybersecurity community following the revelation of a significant database containing approximately 75,000 stolen credentials specific to Fortinet’s FortiGate firewall and SSL VPN users. The database, referred to as “FortiBleed,” was uncovered by cybersecurity researchers last week and includes sensitive information such as usernames, email addresses, and plaintext passwords of numerous organizations, including notable corporations such as Oracle, Spotify, Toyota, and AT&T.
Notably, it has been reported that around half of all internet-accessible Fortinet firewalls might have been compromised through this breach, suggesting a widespread vulnerability within the network. According to Hudson Rock, a company specializing in infostealer malware, the leaked credentials pertain to customers spanning 194 countries and are associated with over 21,000 unique domains, presenting a global issue for cybersecurity.
While the precise method through which the threat actors accessed these targeted devices remains unclear, there are indications that they may have exploited legacy vulnerabilities in Fortinet products or potentially utilized a novel zero-day exploit. Early investigations suggest the attackers first stole configuration data before executing brute-force attacks to crack the passwords contained within.
The NCSC’s findings indicate that the threat actors employed various tactics such as brute-force and dictionary attacks, alongside the practice known as credential stuffing. Reports emerging from the incident indicate that numerous organisations have already experienced comprehensive network compromises as a direct result of this breach. Alarmingly, any organization listed in the exposed database appears to be at a heightened risk of falling victim to further attacks.
Kevin Beaumont, a notable cybersecurity researcher, commented on the implications of the leaked information, emphasizing that its formatting suggests a meticulous approach akin to that of an organized eCrime gang. He provided insights into the scale of the operation, noting that attackers carried out an estimated 1.16 billion credential attempts across over 320,000 FortiGate targets, in addition to approximately 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers. This staggering scale underscores the seriousness of the security threat faced by organizations using Fortinet’s services.
In light of this alarming breach, the NCSC has gone on to stress the importance of proactive measures for Fortinet customers. The agency has urged those at risk to utilize safety tools such as Hudson Rock’s and SOCRadar’s FortiBleed checker tools to ascertain whether their devices have been impacted. Following this analysis, organizations are encouraged to examine their systems for indicators of compromise (IoCs), which may include unauthorized account creation or anomalous activity within log files.
To aid those affected, the NCSC has outlined several critical actions that organizations should take immediately. Affected customers are advised to isolate compromised devices from both the internet and their internal networks to prevent further unauthorized access. Additionally, they are prompted to report the incident to the proper governmental bodies and consider engaging an assured incident response provider to assist in the aftermath of the breach.
Organizations must also gather logs, configurations, and other critical artifacts from the compromised device before performing a factory reset. Furthermore, it is vital to investigate other edge devices that may share credentials with the affected device and to monitor firewall logs for any suspicious activities that could indicate continued risk of compromise.
Finally, the NCSC stressed the importance of fortifying re-commissioned systems by ensuring they operate on the latest software version, utilize strong and unique administrator passwords, have multi-factor authentication (MFA) enabled, and are not exposed to public access. Users should also consider implementing PBKDF2 for the admin interface to enhance security.
With the implications of the FortiBleed breach reverberating across the cybersecurity landscape, it is crucial for organizations to remain vigilant and proactive to safeguard their networks against potential threats. This incident serves as a reminder of the evolving challenges in cybersecurity and the need for robust defense mechanisms against increasingly sophisticated attacks.