It became known that the administrator of the RAMP forum and the former operator of the hacker group Babuk published on the Internet the logins and passwords of 500 thousand compromised Fortinet VPN devices. Software vulnerabilities in them were eliminated by the developers, but the administrators have not changed the data to access them. The archive is hosted by members of the Groove group, behind which, it is assumed, are the operators of the disintegrated Babuk.
According to the source, data for access to VPN devices was collected over several months. It is noted that before publication, the details were checked for compliance and operability. According to reports, the hacker exploited a vulnerability in the FortiOS operating system, which was tracked under the identifier CVE-2018-13379. This vulnerability affected Fortigate devices and allowed unauthorized users to download system files using special HTTP requests.
It should be noted that since the spring of 2021, the mentioned FortiOS vulnerability, along with two others (CVE-2019-5591 and CVE-2020-12812), have been actively exploited by different hacker groups. The malicious campaigns caught the attention of the FBI and the US Digital Infrastructure Security Agency (CISA), which issued a warning about attacks on Fortinet-made devices.
The source notes that the representative of the Groove group who published the database of accounts of VPN devices carries the same pseudonym SongBird as the former operator of the Babuk group and the administrator of the RAMP forum, who specialized in ransomware. Another source names the author of the publication, Orange, but it also mentions his involvement with the hackers from Babuk and the RAMP forum.