Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls used by major companies all over the world
Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls used by major companies all over the world
网络犯罪分子据称入侵了全球大型企业使用的数万台 Fortinet 防火墙
Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs used by major companies all over the world, according to two cybersecurity firms. 据两家网络安全公司称,网络犯罪分子已经入侵了全球大型企业所使用的数万台 Fortinet 防火墙和 VPN 设备。
The widespread hacking campaign, which is ongoing and has been dubbed FortiBleed, appears to not involve abusing any unknown vulnerability in the targeted devices, but rather on a more basic issue: Companies may not be changing passwords to the firewall, nor making sure that the credentials they use for sensitive systems exposed on the internet are not already known by hackers. 这场被称为“FortiBleed”的大规模黑客攻击行动目前仍在持续。它似乎并未利用目标设备中任何未知的漏洞,而是源于一个更基础的问题:企业可能没有及时更改防火墙密码,也没有确保其暴露在互联网上的敏感系统所使用的凭据未被黑客掌握。
In this campaign, hackers are first using automated tools to scan the internet for exposed Fortinet firewalls and VPNs. Then, they are breaking into the devices thanks to lists of previously known passwords. At that point, the cybercriminals can steal more sensitive data from the victim companies, cybersecurity firms Hudson Rock and SOCRadar wrote in their reports that they published this week. 网络安全公司 Hudson Rock 和 SOCRadar 在本周发布的报告中指出,在此次行动中,黑客首先利用自动化工具扫描互联网,寻找暴露在外的 Fortinet 防火墙和 VPN。随后,他们利用已知的密码列表入侵这些设备。一旦得手,网络犯罪分子便能从受害公司窃取更多敏感数据。
“Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar wrote. SOCRadar 写道:“一旦设备被入侵,(黑客)就会将其用作监听站,监控流经的流量并收集随之而来的任何额外凭据。这些新收集的密码随后会被反馈到扫描器中,以入侵更多的设备。这个系统实现了自我循环。”
Fortinet spokesperson Tiffany Curci told TechCrunch that the company “is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.” Fortinet said that based on the company’s analysis, the data involved is “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.” Fortinet 发言人 Tiffany Curci 告诉 TechCrunch,该公司“已知悉一起针对 Fortinet 防火墙和 VPN 网关的第三方凭据收集活动”。Fortinet 表示,根据公司分析,所涉及的数据是“以往事件数据的重新分享,以及对凭据的暴力破解,与最近的任何事件或安全公告无关”。
Hudson Rock said they found evidence that suggests more than 73,000 unique Fortinet URLs have been hacked, while SOCRadar said the total of hacked devices is more than 30,000. According to Hudson Rock, the hacked companies include: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. Hudson Rock 表示,他们发现的证据表明有超过 73,000 个独立的 Fortinet URL 遭到入侵,而 SOCRadar 则称被入侵的设备总数超过 30,000 台。据 Hudson Rock 称,受害公司包括:埃森哲 (Accenture)、康卡斯特 (Comcast)、富士康 (Foxconn)、联想 (Lenovo)、甲骨文 (Oracle)、三星 (Samsung)、西门子 (Siemens) 和普华永道 (PwC)。
A Lenovo spokesperson acknowledged receipt of TechCrunch’s request for comment but did not respond. None of the other companies responded to a request for comment. 联想的一位发言人确认收到了 TechCrunch 的置评请求,但未作回应。其他公司均未回应置评请求。
According to both Hudson Rock and SOCRadar, the countries with the most affected devices are India, the United States, Taiwan, and Mexico. But both companies say there are victims all over the world. As for industries, the most affected ones are IT services, construction materials, and telecommunications, according to Hudson Rock. Government agencies are also among the victims, per SOCRadar. 据 Hudson Rock 和 SOCRadar 称,受影响设备最多的国家是印度、美国、中国台湾和墨西哥。但两家公司均表示,受害者遍布全球。Hudson Rock 指出,受影响最严重的行业是 IT 服务、建筑材料和电信。据 SOCRadar 称,政府机构也在受害者之列。
Both cybersecurity companies said the group behind the hacking campaign appears to be Russian-speaking. Hudson Rock and SOCRadar’s reports are based on the discovery of a list of credentials for Fortinet devices and associated companies. This hacking campaign was first reported by security researcher Bob Diachenko over the weekend. Independent cybersecurity researcher Kevin Beaumont said in a blog post on Wednesday that he analyzed the data and confirmed the data “is legit.” 两家网络安全公司均表示,幕后黑客组织似乎讲俄语。Hudson Rock 和 SOCRadar 的报告基于一份发现的 Fortinet 设备及相关公司的凭据列表。安全研究员 Bob Diachenko 在周末首次报道了此次黑客攻击行动。独立网络安全研究员 Kevin Beaumont 周三在博客文章中表示,他分析了这些数据并确认数据“是真实的”。
In recent years, several hacking campaigns have targeted and compromised Fortinet devices, usually abusing vulnerabilities in those systems. Instead, in this case, the hackers are relying on leaked passwords, a simpler and less sophisticated attack. 近年来,已有多次黑客行动针对并入侵了 Fortinet 设备,通常是利用这些系统中的漏洞。然而,在这次案例中,黑客依赖的是泄露的密码,这是一种更简单、技术含量较低的攻击方式。