Attention: If your utility uses Fortinet FortiOS SSL VPNs, you are encouraged to review this activity and address accordingly, especially if you haven’t applied security updates since 2018. WaterISAC has previously advised members of active exploitation of the vulnerability referenced in this post (CVE-2018-13379) and urged members to address older patches for Fortinet devices – see (Fortinet FortiOS) Patching Prioritization – When a Zero day is no Longer a Zero Day…it’s time to patch.

A cache of approximately 500,000 Fortinet VPN logins and passwords were recently posted to a cybercriminal online forum. This leak could enable cybercriminals unimpeded network access with valid VPN credentials for the purposes of data exfiltration, to introduce malware, and/or conduct ransomware attacks. The attackers reportedly exploited unpatched Fortinet VPNs last year with a vulnerability that was fixed in 2019 (CVE-2018-13379) to steal the sensitive material – highlighting why patching is important.

The stolen credentials were leaked by a threat actor known as ‘Orange,’ who was previously affiliated with the Babuk Ransomware campaign and is now believed to be part of the Groove ransomware operation. Orange posted the stolen information for free on a new online criminal forum known as RAMP. It is unclear why the threat actor posted the information for free, but experts believe it may have been to promote their criminal services. “The VPN SSL leak was likely accomplished to promote the new RAMP ransomware forum offering a "freebie" for wannabe ransomware operators.” according to Vitali Kremez, CTO at Advanced Intel.

If your utility uses Fortinet VPN servers, WaterISAC recommends forcing a password reset of all users, checking your logs for possible intrusions, and updating your Fortinet VPN with the latest security updates. Read more at BleepingComputer.