The mat key is in short, as thousands of Fortune 500 companies “protected” their corporate networks.
Large companies around the world could keep in sight of the doors for years, to which the attackers already had keys. Experts reported on the large-scale FortiBleed campaign, during which cybercriminals gained access to tens of thousands of Fortinet fireplace screens and gateways of virtual private networks FortiGate.
The attack is not like breaking through a new unknown vulnerability. The scheme is simpler and more dangerous: attackers are looking for Fortinet devices open on the Internet, and then try previously leaked or selected passwords. After entering the system, the compromised gateway begins to listen to traffic. Through it, new accounts are collected and use fresh passwords for further attacks.
Hudson Rock утверждаетclaims to have found signs of compromise of 73 932 unique addresses of firewalls in 194 countries. SOCRAdar estimates the number of affected devices at more than 30 000. The found data includes 21 632 domains, and among the potentially affected organizations are called Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, PwC, government agencies and critical infrastructure operators. Specialists have developed a free tool to check whether the FortiBleed vulnerability has affected a specific organization.
The largest number of affected devices, according to Hudson Rock, is located in India, USA, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile and the United Arab Emirates. Among the industries, telecommunications, information services, the financial sector, state organizations, medicine, education and industry are most often found.
The first about the leak was reported by security specialist Bob Dyachenko. It found an open server with a database where usernames, email addresses and passwords were stored in the open form. According to him, the attackers could conduct about 1.16 billion entry attempts at 320 777 FortiGate targets and another 2.1 billion attempts against 163 650 Microsoft SQL Server servers. Dyachenko also claims that on the server there were service files, magazines, scripts and other traces of the grouping.
Independent specialist Kevin Beaumont checked part of the array and said that the data looks real. According to him, in the database of about 75 000 Fortinet devices, and almost all are still available on the Internet. He also suggested that some of the information could be taken from the exported Fortinet settings, since the array has data that is usually found in configuration files. At the same time, the exact method of obtaining the original base is still unknown.
Fortinet said it was aware of a third-party campaign that steals accounts and targets the company’s firewalls and gateways of the company’s virtual private networks. According to Fortinet, the published array is due to the fact that the attackers re-published data from old incidents and sorted out passwords, and not with a new vulnerability, a recent hack or a fresh security bulletin.
Experts advise companies to immediately change passwords for administrative interfaces and virtual private Fortinet networks, enable multi-factor authentication, check the lock logs for suspicious activity and separately trace whether employee accounts in other leaks appear.
Large companies around the world could keep in sight of the doors for years, to which the attackers already had keys. Experts reported on the large-scale FortiBleed campaign, during which cybercriminals gained access to tens of thousands of Fortinet fireplace screens and gateways of virtual private networks FortiGate.
The attack is not like breaking through a new unknown vulnerability. The scheme is simpler and more dangerous: attackers are looking for Fortinet devices open on the Internet, and then try previously leaked or selected passwords. After entering the system, the compromised gateway begins to listen to traffic. Through it, new accounts are collected and use fresh passwords for further attacks.
Hudson Rock утверждаетclaims to have found signs of compromise of 73 932 unique addresses of firewalls in 194 countries. SOCRAdar estimates the number of affected devices at more than 30 000. The found data includes 21 632 domains, and among the potentially affected organizations are called Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, PwC, government agencies and critical infrastructure operators. Specialists have developed a free tool to check whether the FortiBleed vulnerability has affected a specific organization.
The largest number of affected devices, according to Hudson Rock, is located in India, USA, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile and the United Arab Emirates. Among the industries, telecommunications, information services, the financial sector, state organizations, medicine, education and industry are most often found.
The first about the leak was reported by security specialist Bob Dyachenko. It found an open server with a database where usernames, email addresses and passwords were stored in the open form. According to him, the attackers could conduct about 1.16 billion entry attempts at 320 777 FortiGate targets and another 2.1 billion attempts against 163 650 Microsoft SQL Server servers. Dyachenko also claims that on the server there were service files, magazines, scripts and other traces of the grouping.
Independent specialist Kevin Beaumont checked part of the array and said that the data looks real. According to him, in the database of about 75 000 Fortinet devices, and almost all are still available on the Internet. He also suggested that some of the information could be taken from the exported Fortinet settings, since the array has data that is usually found in configuration files. At the same time, the exact method of obtaining the original base is still unknown.
Fortinet said it was aware of a third-party campaign that steals accounts and targets the company’s firewalls and gateways of the company’s virtual private networks. According to Fortinet, the published array is due to the fact that the attackers re-published data from old incidents and sorted out passwords, and not with a new vulnerability, a recent hack or a fresh security bulletin.
Experts advise companies to immediately change passwords for administrative interfaces and virtual private Fortinet networks, enable multi-factor authentication, check the lock logs for suspicious activity and separately trace whether employee accounts in other leaks appear.
