Massive Fortinet Firewall Breach Exposes Credentials for Thousands of Networks

Researchers have uncovered a massive breach of Fortinet firewalls that has given Russian-speaking attackers near-unrestricted access to some of the world’s largest and most powerful organizations, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself. Nearly 74,000 Fortinet devices from more than 21,000 IP addresses in 194 countries have been compromised and their plaintext credentials exposed online, Bob Diachenko, a security researcher and head of SecurityDiscovery.com, said online and in an interview. He said he found the data after gaining access to the attackers’ command-and-control server and other infrastructure.

The exposed data also included the industry, revenue, and employee count for each compromised organization. Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. He went on to say that he has confirmed with multiple organizations found in the attackers’ logs that the credentials are real and current.

In many cases, once the threat actors compromised the devices, they went on to access affected organizations’ centralized authentication systems, such as Radius servers and Microsoft Active Directory. The number of compromised devices comprises roughly half of all Internet-facing Fortinet firewalls, based on polling from Shodan. The breach raises significant concerns about the security of global networks and the potential for widespread exploitation.

With access to sensitive credentials, attackers can move laterally within organizations, compromising additional systems and data. This incident highlights the need for organizations to prioritize robust security measures, including regular updates and patches, to prevent similar breaches. The fact that many compromised devices remain online and that attackers have accessed centralized authentication systems increases the risk of further exploitation.

As the threat actors continue to leverage these credentials, businesses and organizations must act quickly to mitigate the damage and protect their networks. The long-term implications of this breach will depend on the actions taken by the affected organizations and the response from the cybersecurity community.