Menu

angle_3

FortiBleed: More than 30 entities in Morocco hit by global data leak

On Thursday, the DGSSI reported a leak of credentials for Fortinet firewalls and SSL VPN gateways affecting around thirty entities based in Morocco. The incident is part of the massive FortiBleed data leak, which compromised nearly 75,000 devices worldwide. Badr Bellaj, an expert in distributed systems security, spoke to Yabiladi about the breach.

Publié Temps de lecture: 3'
FortiBleed: More than 30 entities in Morocco hit by global data leak
DR

The Cyberattack Detection, Monitoring and Response Center, which operates under the General Directorate for Information Systems Security (DGSSI), has warned of a massive data leak known as FortiBleed affecting several Moroccan entities. On June 18, the incident targeted Fortinet firewalls and SSL VPN gateways, exposing valid and active administrator and VPN credentials for nearly 75,000 devices worldwide, including some in Morocco.

In the kingdom, around 30 entities were affected, including Inwi, Casa Prestations, Chronopost, the OFPPT, BM Group and the website of Cadi Ayyad University in Marrakech. Speaking to Yabiladi, distributed systems security expert Badr Bellaj said the «incident affects organizations and companies at the level of their infrastructure, staff or customers». He described it as «a dangerous attack» that has impacted major entities around the world.

Data potentially exposed

According to the DGSSI, the incident «was discovered through a password credential-harvesting campaign targeting Fortinet VPN and firewall products». Bellaj explained that «when the security of these entities is compromised, one can imagine that there may be data breaches or data leaks, with information being circulated on the dark web».

The DGSSI noted that «the attackers were able to access these credentials by extracting configuration files from Internet-connected FortiGate devices and cracking password hashes offline».

According to the agency, attackers could use these credentials to infiltrate internal networks via VPN access, «take full control of the network, deploy ransomware or exfiltrate confidential data».

Bellaj stressed that «one can imagine any kind of threat that could affect the end user». However, he cautioned that «we do not know whether these passwords have been exploited, or whether the companies had already taken preventive measures by changing passwords regularly».

The incident comes amid a series of data leaks involving Moroccan institutions in recent years, including Al Barid Bank, the CNSS and the OFPPT.

Bellaj noted that «FortiBleed is problematic and does not resemble a conventional attack; it targets two very important entry points for any company: the VPN and the firewall».

«It is as if someone had found the keys to your apartment and could get inside, take things and leave. When someone has VPN or firewall access, especially administrator access, they can go onto an interface, log in and carry out operations. If companies follow best practices for passwords and logins, they can protect themselves.»

According to the expert, «we do not know how this database was built, but we understand that a vulnerability made it possible to extract the unique digital fingerprint, or hash, which, once cracked, makes it easier to recover passwords». He added that «companies normally rotate passwords, so even after this incident they can still protect themselves».

Increased monitoring and rising threats

For Bellaj, the growing number of reported cyberattacks in Morocco reflects both more effective detection capabilities and an increase in the frequency of attacks.

«Monitoring is becoming increasingly effective, as shown by the DGSSI’s valuable and comprehensive note and its very good work. The frequency of these incidents is also rising, which can be explained by the adoption of artificial intelligence, which makes attacks easier.»

He explained that «a hacker can easily create an agent, scan all vulnerable systems and try to generate a database, just as AI can help optimize the way hashes are cracked».

In its recommendations, the DGSSI urged affected entities to verify whether they have been impacted using the available tools. The agency also recommends «forcing PBKDF2 hashing», noting that Fortinet has «introduced stronger encryption (PBKDF2) in its recent versions (FortiOS 7.2.11, 7.4.8 and 7.6.1)».

«This encryption is activated only if the administrator logs in at least once after the update. Therefore, after updating your FortiOS to a secure version, require all administrators to log in to force the migration of the fingerprint to PBKDF2», the DGSSI said.

If this is not possible, the agency recommends «manually changing passwords from a ‘super_admin’ account».

Finally, the DGSSI stressed the importance of ensuring that FortiGate administration interfaces are not directly accessible from the public internet and called on organizations to conduct log audits to identify any suspicious activity.

Soyez le premier à donner votre avis...