Ransomware gang Groove leaked half a million login credentials belonging to users of Fortinet’s VPN solution on a newly launched hacking forum, named Ramp. The hackers likely scraped the names and passwords from compromised devices.
Who’s Groove?
Groove is a new ransomware gang that became more active in August this year. Like other gangs, they implement a double extortion ransomware model: first, they encrypt files, then they threaten to expose exfiltrated data. Until last week, Groove had only one victim listed on their dark net website, a paper products manufacturer headquartered in Germany. According to cyber intelligence researcher Darktracer, the Babuk, BlackMatter and Groove ransomware gangs all share the same data hosting server on the dark web. Therefore, he suggests that they belong to the same cartel. Groove, however, denies any such association. The Groove representative and operator of the new hacking forum, Ramp, allegedly is a former Babuk operator. This Russian-speaking startup claimed responsibility for the breach of the Washington DC Metropolitan Police’s network in April this year. Apparently, this incident was the turning point that eventually led to Babuk’s disintegration.
Leaked Fortinet VPN Credentials
On Tuesday night, Groove leaked a list containing 500,000 Fortinet VPN credentials on their dark net website. The Groove representative also offered the same set of usernames and passwords for free on Groove’s new hacking forum, Ramp. BleepingComputer confirmed that the file contains 498,908 user credentials for over 12,856 devices. In addition, all of the IP addresses they checked do indeed belong to Fortinet VPN servers. Further analysis by threat intelligence firm Advanced Intel reveals that 2,959 devices are located in the US. However, the list names over 70 countries. The largest share of credentials originates from India (11%), Taiwan (8.45%), and Italy (7.96%). It is unclear why the gang is giving away this information for free. Advanced Intel thinks the release of Babuk’s source code on September 3 triggered Groove’s decision. This incident caused a severe backlash on underground forums. Of course, the freebie will also give the gang some credibility to promote their ransomware-as-a-service operation.
Fortinet Aware of the Incident
Cybersecurity firm Fortinet confirmed that they are aware of the security incident. They said that the threat actors obtained the credentials from systems that remained unpatched against the FG-IR-18-384 / CVE-2018-13379 vulnerability. Fortinet resolved the CVE-2018-13379 vulnerability in May 2019. They also issued multiple warnings detailing the issue and encouraging their customers to upgrade affected devices. Moreover, in April this year, the FBI and CISA released a joint cybersecurity advisory since APT actors were still actively exploiting the same vulnerability. If users patched their systems but failed to reset passwords or failed to add an extra layer of security, the systems would have remained vulnerable. Moreover, if the credentials are also shared with other internal services, malicious actors could try to compromise these as well. Fortinet recommends taking the following steps to ensure credentials cannot be abused.