On the back of recent critical severity disclosures about vulnerable Fortinet SSL VPN and Atlassian Confluence vulnerabilities, a recent analysis by Cyble Research Lab has led to the discovery of Threat Actors (TAs) having leaked 500k+ Fortinet VPN credentials as well as IP addresses of servers with Confluence and Microsoft Exchange Vulnerabilities, on the darkweb and cybercrime forums.
A successful exploit of these vulnerabilities could allow a remote attacker to compromise these devices and use them for launching secondary attacks. Often threat actors sell leaked information on cybercrime forums in exchange for cryptocurrency. Later, this leaked information is misused for a host of malicious purposes, including phishing campaigns and ransomware attacks, etc.
This blog covers our analysis of these data leaks on the darkweb in more detail.
Our Analysis
Analysis of Fortinet VPN Credentials Mass Leak
On September 7, 2021, the Groove Leaks Dark website leaked Fortinet VPN Credentials, as shown below.
The website contains a URL with a directory /forti, hosting the leaked credentials. As per the TAs, Fortinet VPN services are running on 10443 and 443 ports and the TA claims that all the credentials are valid.
The Groove TA is a former operator of the Babuk gang, currently operating the Ramp Darkweb cybercrime forum.
The following table lists the data fields that the TA has leaked on the Groove leak darkweb website. These fields contain the IP Address, the username, and the password in plain text.
The geographical distribution of the “at risk” IP addresses is shown below.
Assets located in India, Malaysia, China, Brazil, and the US seem to be most affected.
Analysis of Exposed Vulnerable Confluence Servers
On September 12, 2021, a TA named honeypot_0x01 posted the IPs of Confluence servers vulnerable to the CVE-2021-26084 vulnerability, as shown in figure 5. The CVE-2021-26084 was publicly released on August 30, 2021, and the vulnerability allows an unauthenticated attacker to execute arbitrary code on a vulnerable Confluence server.
The TA has been active on the cybercrime forum since October 2020 and has made a total of 21 posts.
The TA claims that the database of the vulnerable publicly exposed assets includes IP addresses and target Port Numbers. However, the TA has only provided sample IPs in his post.
The following illustration shows the distribution of ports that are running the vulnerable Confluence server instances. Port 80 is mostly used, followed by 8090 and 4443.
Figure 8 shows the distribution of the vulnerable confluence servers by geography. This data is subject to change, once the TA provides the full details.
The highest number of vulnerable assets are in the US, followed by China and Germany, as shown in Figure 9.
Analysis of Assets running Vulnerable Microsoft Exchange instances
On September 13, 2021, a TA named marmalade_knight leaked 100k+ IPs of vulnerable Microsoft Exchange servers. These IPs have exposure due to multiple vulnerabilities. This link contains the CVE’s released in the year 2021.
As per the TA post, the user marmalade_knight is a VIP member and is active since September 2021. The TA has eight posts and is yet to build a reputation.
Figure 11 shows the IP addresses along with affected ASNs present in the Leaked Database.
The highest number of vulnerable assets are located in the US, followed by Germany and the UK.
The below table shows the Unique number of records leaked on the darkweb and cybercrime forums.
| Unique Records Leaked by Threat Actors | Target Asset Type |
| 98000+ | Fortinet |
| 30+ | Confluence |
| 98000+ | MS Exchange |
Our Recommendations
Following are some of the essential cybersecurity best practices to create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:  
- Perform continuous asset discovery and vulnerability assessment of all assets, especially for those exposed on the internet.
- Maintain a detailed and updated technology asset inventory for your enterprise assets.
- Closely track “critical and high severity” vulnerabilities being actively exploited in the wild and institute and implement emergency patching procedures to patch such vulnerabilities provided by the vendor.
- Implement counter measures such as WAF policies and Virtual patching policies to safeguard your vulnerable assets to reduce the window of exposure to a targeted attack.
Conclusion
Similar to Fortinet, Confluence, and Microsoft Exchange-related vulnerabilities, various other services are being exposed and have critical data from multiple organizations such as Open ES Servers.
Cybercriminals are actively fingerprinting and curating information about vulnerable servers exposed on the public internet. This data is being actively sought by cybercriminals to identify and target potential victims.
For most organizations, patch cycles are generally run on a monthly or a quarterly basis, which renders them vulnerable to a targeted attack attempting to exploit such critical CVEs.
As is evident from the above analysis, The “Mean time to Exploit a critical CVE” has shrunk rapidly. However, the “Mean Time to Patch” metric hasn’t quite kept pace with the evolving threat landscape.
The Cyble Research team will continue to monitor such leaks on the surface as well as the darkweb to shed light on such cybersecurity incidents in addition to validating their impact and helping our clients prioritize high-risk issues.
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com/.