FortiGate Leak: Over 15,000 Devices’ Configs and VPN Credentials Exposed by New Hacking Group

by | Jan 16, 2025 | News

Post Views: 361

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

A newly emerged hacking group, known as the “Belsen Group,” has leaked the configuration files, IP addresses, and VPN credentials for more than 15,000 FortiGate devices. The data, containing sensitive technical details, was made freely available on the dark web, posing significant risks to organizations worldwide.

Post on hacking forum
Source: BleepingComputer

Details of the Leak

The leak, announced on cybercrime forums and through a Tor-hosted website, appears to be an attempt to promote the Belsen Group. The group claimed the data spans both governmental and private sectors across numerous countries.

The 1.6 GB archive, organized by country and further subfolders per IP address, includes:

Configuration files (configuration.conf), which detail firewall rules and private keys.
VPN credentials (vpn-passwords.txt), some of which are in plain text.

IP address folder for FortiGate devices and their configs
Source: Beaumont

Connection to CVE-2022–40684

Cybersecurity expert Kevin Beaumont linked the leak to CVE-2022–40684, a critical zero-day vulnerability disclosed in 2022. This flaw allowed attackers to download FortiGate configuration files and create rogue admin accounts, such as ‘fortigate-tech-support.’

Beaumont noted that the leaked data appears to have been collected in October 2022 during the height of exploitation activity for this vulnerability. Interestingly, while most of the impacted devices were running FortiOS versions 7.0.0–7.0.6 or 7.2.0–7.2.2, which were vulnerable, the latter version was patched against CVE-2022–40684 on October 3, 2022, raising questions about the exploit method for devices using that firmware.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Implications of the Leak

Despite being over two years old, the leaked data still poses severe risks. The exposed configuration files contain sensitive information, such as:

Firewall rules, offering insight into network defenses.
Credentials, which if unchanged, could grant attackers access to the networks.

Recommendations for Impacted Organizations

Organizations using FortiGate devices are urged to take immediate action:

Change all exposed credentials: Update VPN and admin passwords immediately.
Patch to the latest firmware: Ensure devices are running versions newer than 7.2.2 to address vulnerabilities.
Audit network configurations: Review for unauthorized accounts, such as the ‘fortigate-tech-support’ super_admin.
Monitor for potential threats: Watch for unusual traffic or access attempts originating from leaked IP addresses.

History of Fortinet Exploits

This is not the first time Fortinet devices have been targeted. In 2021, nearly 500,000 Fortinet VPN credentials were leaked due to exploitation of CVE-2018-13379. This pattern underscores the importance of timely patching and robust credential management.

Response from the Community

Beaumont plans to release a list of IP addresses from the leak to assist FortiGate administrators in assessing whether their devices were affected. Both Belsen Group and Fortinet have been contacted for comments, and updates to this story will follow as more information becomes available.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link