Reflecting on the Fortinet VPN victim exposure

Lists of Fortinet VPN systems that have been historically compromised were shared on a underground sources between 2021-08-31 and 2021-09-07. I identified the victim list files (2021-09-06) and began parsing them into a more clear format that was later published to help blue teamers globally (2021-09-08), improving the time-to-response (TTR) of this global incident. The list was spread via social media and news outlets.

The theory that these Fortinet systems were previously compromised, sometime between 2020 and 2021, is confirmed by a Fortinet PSIRT advisory:

These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.

This victim list files were first observed (2021-08-31) being shared on RAMP Forum (private source) by a moderator, with their associated usernames and passwords. The files were later observed (2021-09-07) being shared on the Groove ransom extortion website (public source). It was then publicized by Bleeping Computer (2021-09-08), which is when most cybersecurity professionals began seeking the victim list to identify if they are impacted.

Actor attribution:
  • The list was first released on RAMP Forum and later released on Groove ransom extortion website.
    • RAMP Forum is very private, and a warning was given to not share the files. Despite this warning, a week later, Groove later publicly shared the file on their ransom extortion website.
  • The file host infrastructure used to host the Fortinet data, shared on RAMP Forum, is also used by the following ransom groups: Groove, Babuk, BlackMatter.
    • The shared infrastructure used by these groups is very suspicious and is beginning to beg the question of how closely they all work together, or to what extent they share "colleagues" across their families.
    • It is plausible that all threat groups involved are renting infrastructure from the same hosting provider(s), meaning that attempting to attribute all of the ransom groups to the same threat actors is not a reliable approach.
  • It is plausible that the "good credentials" were already used by ransom groups, considering many of the victim IP addresses correlated with incident response engagements where Fortinet was the initial access throughout 2020 and 2021. This release may have been a publicity stunt.
    • It is believed that this entire event was an intentional publicity stunt by the involved threat actors; since the initial launch of RAMP Forum, multiple efforts of manipulating the media have occurred, several times as a joke (i.e. pretending that Chinese and Russian threat actors were collaborating on RAMP Forum to garner controversy).

Event timelime:

  • 2021-08-31:
    • Dark web forum moderator shares the files
      • A member of RAMP Forum, a moderator, is first observed distributing the list.
      • The victim list is released as "closed source intelligence".
  • 2021-09-05:
    • Becoming aware from an associate's tip
      • I was tipped by a contact in my Human Intelligence (HUMINT) network, pointing me to the file host. This is is the first time I became aware of the exposed files.
  • 2021-09-06:
    • Downloading and parsing the original files
      • I download the files.
      • I link reverse DNS entries to the IP addresses and spread them to assist cyber response efforts in Canada (and other associates globally). I originally used the public API from Project Crobat · Omnisint to identify the reverse DNS entries, which leverages Radar 7's Project Sonar dataset.
  • 2021-09-07:
    • Ransom extortion site shares files
      • The Groove ransom extortion website publicly releases the list, pointing to the same file host URL that was first shared on RAMP Forum.
      • The victim list becomes "open source intelligence".
  • 2021-09-08:
  • 2021-09-10:
    • List 3 release
      • I noticed that reverse DNS entries from the original were missing, which I supplemented by redoing the reverse DNS queries from my localhost. A new list was generated with current reverse DNS insights. Usernames and passwords were stripped out for public release, to respect victim privacy.
  1. Global unique IP references: 22501
  2. US unique IP references: 2984
  3. JP unique IP references: 1773
  4. IN unique IP references: 1253
  5. TW unique IP references: 964
  6. IT unique IP references: 912
  7. FR unique IP references: 705
  8. AT unique IP references: 698
  9. TR unique IP references: 660
  10. ES unique IP references: 643
  11. TH unique IP references: 593
  12. MX unique IP references: 572
  13. IL unique IP references: 569
  14. CA unique IP references: 567
  15. KR unique IP references: 502
  16. BR unique IP references: 490
  17. SG unique IP references: 470
  18. HK unique IP references: 446
  19. CH unique IP references: 401
  20. CN unique IP references: 385
  21. CO unique IP references: 379
  22. BE unique IP references: 339
  23. MY unique IP references: 337
  24. PE unique IP references: 328
  25. VN unique IP references: 310
  26. AE unique IP references: 286
  27. DE unique IP references: 282
  28. PL unique IP references: 253
  29. CL unique IP references: 249
  30. ZA unique IP references: 246
  31. AU unique IP references: 238
  32. GB unique IP references: 233
  33. ID unique IP references: 214
  34. AR unique IP references: 189
  35. VE unique IP references: 169
  36. PH unique IP references: 153
  37. GT unique IP references: 111
  38. RO unique IP references: 101
  39. NO unique IP references: 98
  40. NZ unique IP references: 94
  41. NL unique IP references: 94
  42. PA unique IP references: 89
  43. PT unique IP references: 85
  44. SA unique IP references: 78
  45. EG unique IP references: 75
  46. PY unique IP references: 74
  47. SE unique IP references: 73
  48. CZ unique IP references: 71
  49. EC unique IP references: 65
  50. HN unique IP references: 63
  51. SV unique IP references: 61
  52. PR unique IP references: 61
  53. GR unique IP references: 61
  54. NI unique IP references: 56
  55. DK unique IP references: 56
  56. IE unique IP references: 51
  57. UY unique IP references: 49
  58. PS unique IP references: 49
  59. KW unique IP references: 49
  60. JO unique IP references: 47
  61. RU unique IP references: 41
  62. LK unique IP references: 38
  63. UA unique IP references: 32
  64. PK unique IP references: 32
  65. NP unique IP references: 32
  66. LB unique IP references: 32
  67. KZ unique IP references: 32
  68. IR unique IP references: 31
  69. CR unique IP references: 30
  70. KE unique IP references: 29
  71. MA unique IP references: 27
  72. JM unique IP references: 27
  73. TN unique IP references: 26
  74. BD unique IP references: 26
  75. NA unique IP references: 25
  76. DO unique IP references: 25
  77. MU unique IP references: 22
  78. MM unique IP references: 20
  79. NC unique IP references: 18
  80. AZ unique IP references: 17
  81. OM unique IP references: 16
  82. KH unique IP references: 16
  83. CY unique IP references: 16
  84. DZ unique IP references: 15
  85. AO unique IP references: 13
  86. MO unique IP references: 12
  87. QA unique IP references: 11
  88. LU unique IP references: 11
  89. KY unique IP references: 11
  90. FI unique IP references: 11
  91. BW unique IP references: 11
  92. SK unique IP references: 10
  93. HU unique IP references: 10
  94. CI unique IP references: 10
  95. BO unique IP references: 10
  96. AD unique IP references: 10
  97. MC unique IP references: 9
  98. AL unique IP references: 9
  99. HR unique IP references: 8
  100. ZW unique IP references: 7
  101. GN unique IP references: 7
  102. GH unique IP references: 7
  103. ZM unique IP references: 6
  104. SN unique IP references: 6
  105. PF unique IP references: 6
  106. NG unique IP references: 6
  107. ML unique IP references: 6
  108. IQ unique IP references: 6
  109. FJ unique IP references: 6
  110. BY unique IP references: 6
  111. BN unique IP references: 6
  112. BG unique IP references: 6
  113. TT unique IP references: 5
  114. RS unique IP references: 5
  115. ME unique IP references: 5
  116. EE unique IP references: 5
  117. CW unique IP references: 5
  118. BH unique IP references: 5
  119. BB unique IP references: 5
  120. BA unique IP references: 5
  121. SI unique IP references: 4
  122. SC unique IP references: 4
  123. MT unique IP references: 4
  124. MQ unique IP references: 4
  125. MN unique IP references: 4
  126. LC unique IP references: 4
  127. UG unique IP references: 3
  128. TZ unique IP references: 3
  129. RE unique IP references: 3
  130. MZ unique IP references: 3
  131. BT unique IP references: 3
  132. YE unique IP references: 2
  133. VU unique IP references: 2
  134. VG unique IP references: 2
  135. UZ unique IP references: 2
  136. SO unique IP references: 2
  137. MV unique IP references: 2
  138. MG unique IP references: 2
  139. LA unique IP references: 2
  140. HT unique IP references: 2
  141. GP unique IP references: 2
  142. GM unique IP references: 2
  143. GL unique IP references: 2
  144. GE unique IP references: 2
  145. GD unique IP references: 2
  146. DM unique IP references: 2
  147. BQ unique IP references: 2
  148. BF unique IP references: 2
  149. TG unique IP references: 1
  150. TC unique IP references: 1
  151. ST unique IP references: 1
  152. RW unique IP references: 1
  153. NE unique IP references: 1
  154. MD unique IP references: 1
  155. LV unique IP references: 1
  156. LT unique IP references: 1
  157. KG unique IP references: 1
  158. JE unique IP references: 1
  159. IM unique IP references: 1
  160. GU unique IP references: 1
  161. GQ unique IP references: 1
  162. GI unique IP references: 1
  163. GF unique IP references: 1
  164. GA unique IP references: 1
  165. CM unique IP references: 1
  166. CD unique IP references: 1
  167. BZ unique IP references: 1
  168. BS unique IP references: 1
  169. BM unique IP references: 1
  170. BJ unique IP references: 1
  171. AF unique IP references: 1

Popular posts from this blog

Threat group attribution with open-source datasets

Image
Case study: Reading between the lines of a press release. You're a threat analyst doing their job, reading the news  — i t's December 13, 2020 . FireEye just announced that they identified the SolarWinds Orion solution being used by Russia as a backdoor initial access into the systems of all types of governments and organizations. The full scope of the breach is still unclear; 100s, 1000s, and probably more are impacted. Fast forward  —  It's now late January of 2021. C haos in the media has ensued over recent weeks, many individuals and even companies are  claiming attribution to specific Russian groups using flimsy proof and no hard evidence.  Finally, US officials share that it was "an Advanced Persistent Threat (APT) actor, likely Russian in origin" that is responsible for the SolarWinds attack, described as "an intelligence-gathering effort."  ( CISA ) We look at 2 highlights, our key takeaways... –  "likely Russian in origin" –  
Read more