They were posted for free by former Babuk gang members who’ve bickered, squabbled and huffed off to start their own darn ransomware businesses, dagnabbit.

Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has confirmed.

Or then again, maybe the number is far greater. On Wednesday, BleepingComputer reported that it’s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.

The news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn’t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.

Infosec Insiders Newsletter

According to analysis done by Advanced Intel, the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.

The geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.

UPDATE:  Threatpost reached out to Fortinet for  clarification on how many devices were compromised. A spokesperson’s reply  reiterated the statement put out on Wednesday:

“The security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices.  The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019.  Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in August 2019July 2020April 2021 and June 2021 For more information, please refer to our latest blog and PSIRT advisory.  We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.”

A Creaky Old Bug Was Exploited

On Wednesday, the company confirmed that the attackers exploited FG-IR-18-384 / CVE-2018-13379: a path traversal weakness in Fortinet’s FortiOS that was discovered in 2018 and which has been repeatedly, persistently exploited since then.

Using the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.

The bug, which recently made it to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) list of the top 30 most-exploited flaws, lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.

Fortinet fixed the glitch in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn’t also reset the devices’ passwords at the same time, the VPNs still might be vulnerable.

All in the Babuk Family

According to BleepingComputer, a threat actor known as Orange – the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation – was behind the leak of Fortinet credentials.

Orange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.

At the same time, a post promoting the Fortinet leak appeared on Groove’s data leak site.

Groove is a new ransomware gang that’s been active just since last month. It favors the double extortion model of combining data compromise with threats to publish seized data.

According to a Wednesday post co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.

Chatting Up the Ransomware ‘Artist’

On Tuesday, one of the Groove gang’s members decided to chat up Advanced Intel researchers, to give them an insider’s take on how the new ransomware syndicate was formed and how it recruits operators. That included “the ‘truth’ about the association of Babuk, DarkSide and BlackMatter, and other insights on the inner relationships within the ransomware community,” as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.

According to their writeup, the Groove representative is likely a threat actor that goes by “SongBird”. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum – which was launched on July 11 and which caters to top ransomware operators plotting their attacks.

The screen capture below shows Advanced Intel’s translation of SongBird’s explanation of the platform: “RAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!”

According to Advanced Intel, RAMP was initially based on the former Babuk’s data leak website domain but has since relocated to a new domain.

SongBird was reportedly prompted to pull off their tell-all after the disclosure of Babuk’s source code. The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn’t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.

The code release had repercussions, Advanced Intel said. “The incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,” according to the report.

SongBird told the researchers that the actor wanted to address “the issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.”

The actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code “most likely has been purchased from one of the DarkSide affiliates,” SongBird wrote.

How to Protect Your VPN

You can check Fortinet’s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version “at any time”:

  1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
  2. Immediately upgrade affected devices to the latest available release, as detailed below.
  3. Treat all credentials as potentially compromised by performing an organization-wide password reset.
  4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
  5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.

Rajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is “a stark reminder of today’s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like ‘phone as a token’ and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.

“Companies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,” he concluded.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.