Fortinet Firewall: compromises in Italy

On the RAMP underground forum, recently created, a post was published (likely associated with Ransomware Babuk) containing a list of valid credentials (usernames and passwords) for Fortinet VPN access across approximately 13 000 organizations worldwide.
The list contains 799 directories and 86 941 presumably compromised VPN sessions. The motivation behind the file sharing remains unclear.

Compromised user accounts on firewalls in Italy represent approximately 8% of the total.

The following image represents the composition of the attack at demographic level. As can be observed, Italy ranks third.

Groove Details

Groove, the platform where the list was actually uploaded, is a new ransomware group that became particularly active between August and September 2021. Groove is presumed to employ former Babuk developers and leverage advanced tactics and tooling. Our Cybersecurity Advisory team has tracked the group’s infrastructure and operational patterns across multiple campaigns targeting critical infrastructure sectors.

Exploited Vulnerabilities:

• CVE-2019-0708 Bluekeep RDP vulnerability
• CVE-2021-27065 Microsoft Exchange server RCE
• CVE-2021-26857 Microsoft Exchange server RCE
• CVE-2020-0796 – SMBGhost “Bluecorona” RCE vulnerability
• CVE-2019-11510 Pulse VPN vulnerability
• CVE-2020-0829 Citrix scan vulnerability
• CVE-2021-21972 – vmware scan vulnerability
• MS17-010 “Eternalblue” vulnerability
• CVE-2019-19781 – Citrix netscaler vulnerability