The financially motivated threat actor Groove has leaked online compromised credentials belonging to many organizations. The ransomware group has been active since August 2021 and implement a double extortion model like other gangs.
The threat actor leaked a list containing approximately 500,000 Fortinet VPN credentials that can allow threat actors to breach the networks of the organizations that use the compromised VPN appliances and perform malicious activities such as dropping a ransomware or stealing sensitive data.
The credentials were likely amassed by the threat actors over the last few months by exploiting the CVE-2018-13379 Path Traversal flaw in Fortinet FortiOS running on Fortigate appliances.
Groove representative is likely a threat actor that goes online with the moniker “SongBird” who is a former operator of the Babuk gang. He is also the admin of a recently launched underground service named RAMP that focuses on ransomware operations.
SongBird also created a post on the RAMP forum that includes a link to a file containing the Fortinet VPN accounts.
Organizations are recommended to contact the CERTs of their country in order to determine if they are using one of the compromised Fortinet appliances.
Researchers from threat intelligence firm Advanced Intel that analyzed the leaked data, published the geographical distribution of the Fortinet VPN SSL list which includes 74 countries. 2,959 out of 22,500 victims are US entities.
(SecurityAffairs – hacking, Groove gang)