According to analysts, the attackers collected credentials by exploiting a weakness in FortiOS SSL VPN.
On the underground RAMP forum, approximately 500,000 Fortinet VPN device credentials are accessible for free. The leaker is identified as ‘Orange,’ a forum administrator and former member of the extortionist gang Babuk who departed amid conflicts between its members. Orange is now thought to be associated with the new Groove ransomware campaign.
The released file comprises VPN credentials for 498,908 users on 12,856 devices in total. According to Advanced Intel, susceptible devices may be found all over the world, with the majority of them in India, Taiwan, France, Italy, Israel, Mexico, Brazil, Singapore, and China.
Experts think the attackers collected credentials by exploiting a directory traversal vulnerability ( CVE-2018-13379 ) in FortiOS SSL VPN.
At this moment, it is unclear what the publishing of credentials is about. According to information security experts, this might be an attempt to promote RAMP and Groove RaaS while also attracting new players.
Groove is a brand-new ransomware gang. So yet, her leaks website has only identified one victim.