One of the largest exposed collections of corporate login credentials in recent years is putting thousands of organizations under pressure. Researchers discovered that attackers gained access to tens of thousands of Fortinet systems and built up a massive database of valid login credentials in the process.
Among the affected organizations are Oracle, Lenovo, FedEx, and even Fortinet itself, according to Ars Technica. The discovery was made by security researcher Bob Diachenko of SecurityDiscovery.com. He managed to gain access to the attackers’ infrastructure and found data on nearly 74,000 compromised Fortinet devices spread across 194 countries. According to Diachenko, the files contained not only usernames and passwords but also additional information about the affected organizations, including industry, revenue, and the number of employees.
Access to Core Systems
The impact appears to extend beyond just the compromised firewalls. Independent researcher Kevin Beaumont reports that many compromised systems remain online and that, in several cases, the stolen login credentials appear to be current. After gaining access to Fortinet devices, the attackers reportedly frequently penetrated central authentication systems such as Microsoft Active Directory and RADIUS servers.
Security firm Hudson Rock, which also investigated the dataset, describes the situation as exceptional. According to the firm, the attackers have built up a verified collection of active corporate credentials that could grant access to some of the world’s largest companies.
In addition to Oracle, Lenovo, and FedEx, the list of affected parties includes Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture. Furthermore, according to Hudson Rock, the dataset includes various government organizations and critical infrastructure providers.
Particularly concerning is the report that a Turkish defense contractor working for NATO may have fallen victim to a full-scale network breach. Researchers claim that confidential defense documents were stolen in the process.
Automated Attack
According to the researchers, the operation began with large-scale scans of publicly accessible FortiGate systems. The attackers then used an automated platform capable of trying out enormous numbers of username and password combinations. Once access was gained, they intercepted authentication data from VPN connections.
Hudson Rock states that the group deployed a specialized GPU cluster to crack encrypted authentication hashes. They employed a self-learning approach in which previously cracked passwords were used to generate new password variants. This made the system progressively more effective.
Interestingly, according to Diachenko, the attackers made mistakes in their own operational security. This allowed researchers to gain insight into the infrastructure used and determine the scope of the operation.
Diachenko, Beaumont, and Hudson Rock are urging organizations that use Fortinet firewalls to immediately check their environments for unauthorized access. Given the size of the stolen dataset, they believe there is a risk that the data is now also being used by other cybercriminals.