Massive Security Breach Exposes Credentials of Major Organizations

Researchers have recently unveiled a staggering breach involving Fortinet firewalls, which has provided Russian-speaking cybercriminals with unprecedented access to some of the globe's most influential enterprises. Notable victims of this breach include tech giants like Oracle and Lenovo, as well as multinational corporations such as Chevron and Federal Express, alongside a NATO defense contractor and Fortinet itself. According to Bob Diachenko, a security researcher and head of SecurityDiscovery.com, nearly 74,000 Fortinet devices located across more than 21,000 IP addresses in 194 countries have had their plaintext credentials exposed on the internet.

Diachenko discovered this alarming data after infiltrating the attackers' command-and-control server and related infrastructure. In addition to the compromised credentials, the leaked information also detailed the industry classification, revenue figures, and employee numbers for the affected organizations. The scale of this breach is exceptional, and the operational security (opsec) of the attackers appears to be notably poor, as pointed out by independent researcher Kevin Beaumont.

Beaumont noted that as of Wednesday morning, almost all compromised devices were still online and operational. He confirmed with several organizations identified in the attackers' logs that the exposed credentials were legitimate and up-to-date. In numerous instances, after breaching these devices, the cybercriminals proceeded to infiltrate the organizations' centralized authentication systems, including Radius servers and Microsoft Active Directory. The extent of the breach is alarming, with the number of compromised devices representing approximately half of all Internet-facing Fortinet firewalls, according to data from Shodan.