dretsdigitals
Cybersecurity

Fortibleed in Andorra: How an Attack on Fortinet Firewalls Exposed the Country's Local Councils and Businesses

An analysis of publicly available data from the global attack on FortiGate devices reveals that at least two local councils and one Andorran company were affected, along with ten additional IP addresses that do not appear if searching only by domain.

· 1 min read

It is well-known that Andorra Telecom is an official distributor of Fortinet; however, its domain does not currently feature on exposure lists. In contrast, at least two local councils and a company are listed. Understanding how the attack was executed helps explain why some were targeted and others were not.

The attackers initially sought Fortinet administration panels exposed online with easy access due to weak passwords or the reuse of user-password pairs previously leaked in past incidents. Once inside, they copied the configuration of FortiGate devices, which function as firewalls for businesses and institutions. An outdated method of password management left a digital footprint (hash) of user passwords within the configuration. With the hash and tables from past incidents, the attackers obtained users’ VPN access, affecting not just the administration.

With this access, distinguishing between a legitimate user and the attacker became virtually impossible, making detection very difficult. This is how they managed to spy undetected. Using such techniques, one of Andorra’s local councils, in the northeast of the country, was breached—this is almost certain, thanks to the FortiBleed Check tool from security company SOCRadar. The local council had its VPN data and credentials stolen. A second local council, in the northwest, and a tax consultancy firm in the capital only showed VPN exposure.

Knowing the attackers had the keys does not necessarily mean they used them; it merely indicates they had the potential to access. Since the domain list does not capture everything, a second step was undertaken: cross-referencing the public IP victim list shared by researcher Kevin Beaumont with the entire address space of Andorra. The outcome was ten IP addresses of affected Andorran devices that do not appear when searching by domain, six of which are in very close blocks.

#fortinet#andorra#fortibleed#vpn

Keep reading