A global cyberattack campaign that targets Fortinet security products has compromised login credentials associated with UK government personnel and some critical services. This campaign is now fuelling concerns regarding the vulnerability of infrastructure as well as the risk of ransomware attacks.
Security researchers believe that this FortiBleed campaign is among the biggest credential theft operations targeting Fortinet firewalls. Instead of identifying a new software vulnerability, the attackers use stolen passwords, recycle old passwords, and make automated login attempts.
UK government and council accounts exposed
Reports, first published by The Telegraph, have revealed that credentials belonging to UK government staff have appeared on criminal marketplaces. Some of this stolen access reportedly sells for as much as $60,000.
The compromised accounts include IT staff working at British embassies in Thailand and Mauritius. Employees of Derbyshire and Waltham Forest councils are also among the victims of this attack.
According to the reports, the leaked data include email IDs and the corresponding passwords. If these login credentials are still valid, hackers will be able to access internal systems without having to employ any other hacking technique.
Moreover, security experts have warned that valid login credentials have more value for criminals than stolen files as it lets them login like normal users without setting off security alarms.
The campaign extends far beyond government
The attack is not just a problem for government agencies. The exposed credentials also involve healthcare providers, energy companies, pharmaceutical suppliers, and other operators of critical infrastructure around the world.
Dr. Saif Abed, a cybersecurity expert and former NHS doctor, warned that compromised access to healthcare suppliers could be a starting point for ransomware attacks. Such attacks can directly disrupt patient care.
His warning comes two years after a major ransomware attack on the pathology provider Synnovis. That incident led to the cancellation of thousands of NHS appointments and operations across London.
No new software vulnerability to patch
Despite the scale of the incident, researchers and government agencies stress this is not the result of a new flaw in Fortinet products. The cyber criminals used various known attack methods, including credential stuffing, brute force password attack, and passwords stolen from previous data breaches. These events are often the result of having weak passwords and failing to use two-factor authentication.
The importance of strong password practices is also highlighted by phishing campaigns targeting Facebook users, where hackers try to steal login credentials through deceptive schemes.
The first person to alert the public about the FortiBleed attack was Volodymyr “Bob” Diachenko, who is a security expert, after he discovered the exposed server. This server held what looked like valid Fortinet administrator and VPN credentials.
The database included over 80,000 exposed Fortinet appliances worldwide. Estimates suggest that the wider campaign scanned over 430,000 devices to find their targets.
UK and global authorities issue urgent alerts
The UK’s National Cyber Security Centre (NCSC) has confirmed ongoing brute-force attacks targeting Fortinet systems. They have issued an urgent warning to organizations using these devices.
The agency recommends that organizations reset passwords right away. They also recommend checking for login attempts, isolating affected systems, and monitoring networks for any suspicious activity.
Other national cyber security agencies have issued a similar warning as well. This includes authorities in Singapore, the Netherlands, and the USās CISA, as the campaign continues to affect organizations worldwide.
Russian Links Remain Under Scrutiny
The attack infrastructure and parts of the malicious code reportedly contain Russian-language elements. Another threat actor using the online alias “SantaAd” is also advertising the credentials for sale.
However, UK officials have not directly attributed the campaign to the Russian government. However, according to the NCSC, there are no signs of government involvement at the moment.
Nevertheless, UK intelligence officers have continuously stressed the fact that hacker gangs based in Russia usually enjoy an enabling environment. These groups can launch attacks as long as they avoid targeting Russian interests.
Newer threat intelligence suggests the stolen Fortinet credentials may already be feeding into ransomware operations. Researchers at SOCRadar recently linked the FortiBleed infrastructure to the INC and Lynx ransomware groups.
Further, the warning indicates that credential theft could just be a prelude to future attacks. The lesson for companies is that even without exploiting any software vulnerabilities, password weaknesses would be sufficient for cybercriminals to access their systems.