Breach of Fortinet Firewalls Exposes Credentials for Thousands of Networks

Researchers have identified a significant breach involving Fortinet firewalls, allowing Russian-speaking attackers access to numerous major organizations, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself. According to Bob Diachenko, a security researcher and head of SecurityDiscovery.com, nearly 74,000 Fortinet devices from over 21,000 IP addresses across 194 countries have been compromised, with plaintext credentials made publicly available. Diachenko discovered the exposed data after accessing the attackers' command-and-control server. The leaked information includes details about the industry, revenue, and employee count for each affected organization. Kevin Beaumont, an independent researcher, noted that as of Wednesday morning, nearly all compromised devices were still online. He confirmed with several organizations listed in the attackers' logs that the credentials were valid and current. The breach has reportedly allowed attackers to access centralized authentication systems, such as Radius servers and Microsoft Active Directory, with the number of compromised devices representing approximately half of all Internet-facing Fortinet firewalls, according to data from Shodan.