Cybercriminals have allegedly breached tens of thousands of Fortinet firewalls used by major companies around the world

Cybercriminals have breached tens of thousands of Fortinet firewalls and VPNs used by major companies around the world, according to two cybersecurity firms.

The large-scale, still-ongoing hacking campaign dubbed FortiBleed appears not to involve exploiting any unknown vulnerability in the targeted devices, but rather to do with a more fundamental issue: Companies should not change passwords to the firewall, or ensure that the credentials they use for sensitive systems exposed online are not already known by hackers.

In this campaign, hackers first use automated tools to scan the Internet for firewalls and exposed Fortinet VPNs. They then break into devices thanks to lists of pre-known passwords. At this point, cybercriminals can steal more sensitive data from victim companies and cybersecurity companies Hudson Rock and SOCRadar They wrote in their reports published this week.

“Once a device is compromised, (hackers) use it as a listening point, monitoring traffic and collecting any additional credentials that flow in. The newly collected passwords are then fed back into the scanner to compromise more devices. The system feeds itself,” SOCRadar wrote.

Fortinet spokesperson Tiffany Corsi told TechCrunch that the company is “aware of a reported third-party credential harvesting campaign targeting Fortinet firewalls and VPN gateways.” Fortinet said that based on the company’s analysis, the data in question is “a re-sharing of data from previous incidents, as well as credential brute force exploitation, and is not related to any recent incident or consultation.”

Hudson Rock said they found evidence suggesting more than 73,000 unique Fortinet URLs were compromised, while SOCRadar said the total number of compromised devices was more than 30,000.

According to the Hudson Rock website, the companies that were hacked include: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.

A Lenovo spokesperson acknowledged receipt of TechCrunch’s request for comment but did not respond. None of the other companies responded to a request for comment.

According to both Hudson Rock and SOCRadar, the countries with the most affected devices are India, the United States, Taiwan, and Mexico. But both companies say there are victims all over the world. As for industries, the most affected are information technology services, building materials, and communications, according to Hudson Rock. Government agencies are also among the victims, according to SOCRadar. The two cybersecurity companies said the group behind the hacking campaign appeared to be Russian-speaking.

Hudson Rock and SOCRadar reports are based on discovering a list of credentials for Fortinet devices and associated companies. This hacking campaign It was reported for the first time Written by security researcher Bob Diachenko over the weekend. Independent cybersecurity researcher Kevin Beaumont he said in a blog post On Wednesday, he analyzed the data and confirmed that the data was “legitimate.”

In recent years, numerous the pirate Campaigns They targeted and compromised Fortinet devices, typically exploiting vulnerabilities in those systems. Instead, in this case, hackers rely on leaked passwords, which is a simpler and less sophisticated attack.

Updated with comment from Fortinet.