Ethical Hacking News
Hackers have leaked sensitive technical information for over 15,000 FortiGate devices on the dark web, exposing firewall rules and credentials. The data dump is linked to a 2022 zero-day vulnerability tracked as CVE-2022–40684, which was exploited by threat actors before a fix was released. Cybersecurity experts are urging organizations using FortiGate to review their network defenses and update firewall rules and credentials.
The Belsen Group leaked configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices on the dark web. The leak was compiled in October 2022 and consists of a 1.6 GB archive exposing sensitive technical information about network defenses worldwide. The leak includes configuration files, VPN passwords, private keys, and firewall rules, some of which are in plain text. The data dump is linked to a 2022 zero-day vulnerability (CVE-2022–40684) that was exploited before a fix was released. Fortinet warned about the vulnerability and recommended updating firewall rules and credentials to prevent unauthorized access. Cybersecurity experts recommend reviewing network defenses, updating firewall rules, and changing credentials to mitigate this risk.
In a shocking revelation that has left cybersecurity experts reeling, a group of hackers known as the "Belsen Group" has leaked the configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices on the dark web. This massive data dump, which consists of a 1.6 GB archive, exposes sensitive technical information about the network defenses of countless organizations worldwide.
The leak, which is believed to have been compiled in October 2022, was released by the Belsen Group on their Tor website, where it is available for anyone to download and exploit. The data dump includes configuration files (config.dmp) and VPN passwords (vpn-passwords.txt), with some of the latter in plain text. Furthermore, these configurations contain sensitive information such as private keys and firewall rules.
In a blog post about the FortiGate leak, cybersecurity expert Kevin Beaumont revealed that the leak is linked to a 2022 zero-day vulnerability tracked as CVE-2022–40684, which was exploited by threat actors before a fix was released. Beaumont also noted that he had performed incident response on one device at a victim organization and confirmed that exploitation of this vulnerability resulted in unauthorized access.
"It's possible that the data dump has been assembled from previous operations," explains Beaumont. "The data appears to have been gathered in October 2022, as a zero-day vuln. For some reason, the data dump of config has been released today, just over 2 years later."
The leaked FortiGate configurations also contain firewall rules and credentials that were not updated at the time they were collected, which could be vulnerable to exploitation by threat actors.
Fortinet warned in 2022 that threat actors were exploiting a zero-day vulnerability tracked as CVE-2022–40684 to download configuration files from targeted FortiGate devices and then add a malicious super-admin account called 'fortigate-tech-support'.
The leaked data includes IP addresses for all FortiGate devices worldwide, some of which have firmware version 7.0.0-7.0.6 or 7.2.0-7.2.2. However, Beaumont notes that the vulnerability in question was fixed by FortiOS 7.2.2 released on October 3, 2022.
To mitigate this risk, cybersecurity experts recommend that organizations using FortiGate devices review their network defenses and update firewall rules and credentials to prevent unauthorized access.
"This is a wake-up call for all organizations relying on FortiGate," says Beaumont. "Even though these configuration files were collected in 2022, they still expose sensitive information about a network's defenses."
BleepingComputer has reached out to both the threat actors and Fortinet with questions about the leak and will update this story if we receive a response.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-leak-configs-and-vpn-credentials-for-15-000-fortigate-devices/
https://nvd.nist.gov/vuln/detail/CVE-2022–40684
https://www.cvedetails.com/cve/CVE-2022–40684/
Published: Thu Jan 16 00:37:36 2025 by llama3.2 3B Q4_K_M
