Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs used by major companies all over the world, according to two cybersecurity firms.
The widespread hacking campaign, which is ongoing and has been dubbed FortiBleed, appears to not involve abusing any unknown vulnerability in the targeted devices, but rather on a more basic issue: Companies may not be changing passwords to the firewall, nor making sure that the credentials they use for sensitive systems exposed on the internet are not already known by hackers.
In this campaign, hackers are first using automated tools to scan the internet for exposed Fortinet firewalls and VPNs. Then, they are breaking into the devices thanks to lists of previously known passwords. At that point, the cybercriminals can steal more sensitive data from the victim companies, cybersecurity firms Hudson Rock and SOCRadar wrote in their reports that they published this week.
“Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar wrote.
Hudson Rock said they found evidence that suggests more than 73,000 unique Fortinet URLs have been hacked, while SOCRadar said the total of hacked devices is more than 30,000.
According to Hudson Rock, the hacked companies include: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.
A Lenovo spokesperson acknowledged receipt of TechCrunch’s request for comment but did not respond. None of the other companies responded to a request for comment.
According to both Hudson Rock and SOCRadar, the countries with the most affected devices are India, the United States, Taiwan, and Mexico. But both companies say there are victims all over the world. As for industries, the most affected ones are IT services, construction materials, and telecommunications, according to Hudson Rock. Government agencies are also among the victims, per SOCRadar. Both cybersecurity companies said the group behind the hacking campaign appears to be Russian-speaking.
Fortinet did not respond to a request for comment.
Hudson Rock and SOCRadar’s reports are based on the discovery of a list of credentials for Fortinet devices and associated companies. This hacking campaign was first reported by security researcher Bob Diachenko over the weekend. Independent cybersecurity researcher Kevin Beaumont said in a blog post on Wednesday that he analyzed the data and confirmed the data “is legit.”
In recent years, several hacking campaigns have targeted and compromised Fortinet devices, usually abusing vulnerabilities in those systems. Instead, in this case, the hackers are relying on leaked passwords, a simpler and less sophisticated attack.