Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs used by major companies around the world, according to two cybersecurity firms.
The ongoing hacking campaign, which has been dubbed FortiBleed, appears not to involve exploiting an unknown vulnerability in the targeted devices, but rather to a more basic issue: companies may not change firewall passwords or ensure that the credentials they use for sensitive systems exposed to the internet are not already known to hackers.
In this campaign, hackers first use automated tools to scan the internet for exposed Fortinet firewalls and VPNs. They then hack into the devices thanks to lists of previously known passwords. At that point, cybercriminals can steal more sensitive data from victim companies, cybersecurity firms Hudson Rock and SOCRadar they wrote in their reports published this week.
“Once a device is compromised, [the hackers] use it as a listening post, monitoring the traffic that comes through and collecting any additional credentials that flow through. These newly collected passwords are then fed into the scanner to hack even more devices. The system is self-powered,” wrote SOCRadar.
Fortinet spokeswoman Tiffany Curci told TechCrunch that the company is “aware of a reported third-party credential harvesting campaign targeting Fortinet firewalls and VPN gateways.” Fortinet said that based on the company’s analysis, the data involved is “a re-sharing of data from previous incidents as well as brute force credential enforcement and is not related to any recent incident or advisory.”
Hudson Rock said they found evidence suggesting more than 73,000 unique Fortinet URLs have been hacked, while SOCRadar said the total number of compromised devices is more than 30,000.
According to Hudson Rock, the companies that have been breached include: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens and PwC.
A Lenovo spokesperson acknowledged receiving TechCrunch’s request for comment, but did not respond. None of the other companies responded to a request for comment.
According to Hudson Rock and SOCRadar, the countries with the most affected devices are India, the United States, Taiwan and Mexico. But both companies say there are victims around the world. In terms of industries, the most affected are IT services, construction materials and telecommunications, according to Hudson Rock. Among the victims are government agencies, according to SOCRadar. Both cybersecurity firms said the group behind the hacking campaign appears to be Russian-speaking.
The reports by Hudson Rock and SOCRadar are based on the discovery of a list of credentials for Fortinet devices and associated companies. This hacking campaign reported for the first time by security researcher Bob Diachenko over the weekend. Independent cybersecurity researcher Kevin Beaumont he said in a blog post on Wednesday that it analyzed the data and confirmed that the data “is legitimate.”
In recent years, many hacking campaigns have targeted and compromised Fortinet devices, usually exploiting a vulnerability in these systems. Instead, in this case, hackers rely on leaked passwords, a simpler and less sophisticated attack.
Updated with comment from Fortinet.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
