Massive breach exposes credentials for thousands of sensitive networks
▼ Summary
– A massive breach of Fortinet firewalls has compromised nearly 74,000 devices across 194 countries, exposing plaintext credentials of major organizations like Oracle, Chevron, and Lenovo.
– The exposed data includes industry, revenue, and employee counts for each compromised organization, found by researcher Bob Diachenko on the attackers’ command-and-control server.
– Attackers gained near-unrestricted access to affected organizations, often reaching centralized authentication systems like Radius servers and Microsoft Active Directory.
– The compromised devices represent roughly half of all Internet-facing Fortinet firewalls, and “almost all” remained online as of Wednesday morning.
– The attackers used a custom binary with 25,000 threads to mass-scan FortiGate endpoints and spray them with login combinations, creating a network tap inside each organization.
Cybersecurity researchers have uncovered a massive breach of Fortinet firewalls that has granted a Russian-speaking threat actor near-total access to some of the world’s most powerful organizations. The compromised entities include Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and even Fortinet itself.
Security researcher Bob Diachenko, head of SecurityDiscovery.com, revealed that nearly 74,000 Fortinet devices from over 21,000 IP addresses across 194 countries have been breached, with their plaintext credentials exposed online. Diachenko said he obtained the data by infiltrating the attackers’ command-and-control server and supporting infrastructure. The exposed information also includes each organization’s industry, revenue, and employee count.
The scale of the operation is extraordinary, and the attackers’ operational security is notably poor. Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. He confirmed with multiple organizations found in the logs that the credentials are both real and current. In many cases, after breaching the firewalls, the attackers accessed the victims’ centralized authentication systems, such as Radius servers and Microsoft Active Directory. Based on Shodan polling, the number of compromised devices accounts for roughly half of all Internet-facing Fortinet firewalls.
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” wrote researchers from Hudson Rock, a security firm that also analyzed the data. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”
Diachenko, Beaumont, and Hudson Rock all urged Fortinet users to immediately investigate their networks for signs of compromise. Hudson Rock has provided a search engine for locating affected domains.
The method behind the operation was both systematic and aggressive. Diachenko said the criminally motivated threat actor began by mass-scanning the Internet for FortiGate remote login endpoints. They then deployed a custom binary with 25,000 threads to spray hundreds of thousands of those endpoints with thousands of login and password combinations. Successful attempts gave the attackers a network tap inside the organization, effectively bypassing perimeter defenses.
(Source: Ars Technica)
