The attackers, already known for their confirmed impacts in the past, claim to have a data sample to evaluate, which could be accessed for a single payment of $200 USD.
Friday, September 23. Once again, the group called SGANARELLE2, puts new offers on the Darkweb selling VPN access with administrator privileges based on the Fortinet platform. For this new case, the affected party is a Chilean insurance company that has revenues of more than 25 million dollars per year.
The attackers, already known for their confirmed impacts in the past, claim to have a sample of data to evaluate, which could be accessed for a single payment of $200 USD where the buyer can determine how valuable the information is and proceed to a purchase. full data for $1,200 USD.
Through our intelligence and monitoring group, recent comments were evaluated and Banchile Seguros de Vida, which refers to the banchile.cl domain as initial access data, has been identified as a possible victim.
The details of the commitment have not been able to qualify; however, Fortinet system vulnerabilities and the absence of MFA in some VPN accounts that were compromised in 2021 are suggested. DefensiONE recommends that our entire community immediately assess the exposure status of the VPN systems available in their organizations and ensure their use. MFA (multi-factor authentication) required.
Fortinet is a system widely used by ISP providers where, in some cases, it is part of comprehensive Hosting service offerings, so we recommend evaluating with your ISP and Collocation (DataCenter) providers the use of VPN systems for management and support. of you. These systems, which are usually limited to the IT team and technology support, can be part of the chain of exploitable weaknesses, so reviews should include this possibility and ensure that systems have MFA. If possible, VPN-based remote access systems should be moved to ZeroTrust or SASE-type systems.
Updates with IoC and IoW details will be shared on EVA Defender Space.