CISA warns Fortinet users to secure devices after FortiBleed leak

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged Fortinet customers to protect their devices after nearly 74,000 firewall and VPN credentials were exposed in a data breach dubbed “FortiBleed.”

The warning comes after threat actors used vulnerable credentials to target Internet-accessible Fortinet devices across government and private organizations around the world.

“CISA is aware of global reports that malicious cyber actors have targeted Fortinet’s Internet-accessible services across government and private organizations using compromised credentials,” it said. “The project, called FortiBleed, involves the disclosure of leaked information related to nearly 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”

The agency asked owners of affected FortiGate appliances to terminate all SSL VPN and management sessions, reset all VPN and management passwords, enable multifactor authentication to resist phishing, and review logs for signs of unauthorized access or coordinated movement.

CISA also advises Fortinet customers to store administrative credentials using a modern Password-Based Discovery algorithm (PBKDF2), as well as to restrict firewall control links from accessing the public Internet and remove any unauthorized accounts to reduce the attack surface as much as possible.

Authentication of over 73K firewalls exposed

The FortiBleed data leak was discovered by security researcher Volodymyr “Bob” Diachenko, who discovered a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and passwords for 73,932 firewall URLs around the world.

The information revealed also included each organization’s industry, revenue, and number of employees, which Diachenko said appeared to be compiled to help plan future attacks.

Threat intelligence firm Hudson Rock, which also analyzed the dataset, described it as one of the largest known collections of vulnerable Fortinet data, covering 21,632 unique domains and 194 countries.

Among the organizations represented in the dataset are Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, as well as numerous government agencies and critical infrastructure operators across the telecommunications, healthcare, financial, and manufacturing industries.

The highest number of affected devices were from India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

Data leak linked to Russian-speaking threat group

Diachenko also said the operation was carried out by a Russian-speaking threat group that is said to have made nearly 1.16 billion attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes. The source of the configuration data remains anonymous.

Cybersecurity expert Kevin Beaumont also independently verified the authenticity of some of the claims and noted that most of the affected devices remain online.

“The data is legitimate. It’s 75k devices. Almost all are still online, and Fortinet devices. It seems to be the latest data,” Beaumont said, adding that the leaked data appears to be from Fortinet’s configuration files.

However, the source of the data remains unknown, and it is unclear whether it was stolen by exploiting a previously disclosed Fortinet vulnerability, a newly discovered security flaw, or some other method.

Hudson Rock has also developed a free FortiBleed scan tool to help organizations check if they are affected.

On Monday, threat intelligence firm Defused also reported that several vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now being used in attacks. In total, CISA tracked 26 Fortinet security flaws exploited in the wild in recent years, 13 of which were exploited in ransomware attacks.