Security Intelligence
Loading table of contents...
Update (January 16, 2025): Field Effect has analyzed the leaked data and can confirm that none of the IP addresses disclosed match those associated with any Field Effect client. Regardless, Field Effect encourages all users of Fortinet devices to rotate their credentials if they haven't done so since 2022.
(Original Post)
A new threat actor named ‘The Belsen Group’ has leaked configuration files, IP addresses, and VPN credentials for over 15,000 Fortinet devices. The group is offering the information for free on its newly created TOR website to promote itself and solidify its name in the memory of other hackers.
Cybersecurity analysts believe the information was obtained in 2022 via a zero-day vulnerability, designated CVE-2022–40684. This vulnerability allowed threat actors to download configuration files from vulnerable FortiGate devices. The configuration files contained sensitive information regarding the compromised device, such as credentials and firewall rules, the same as what the Belsen Group leaked.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Analysis of the leaked information revealed that all the compromised Fortinet devices were running FortiOS firmware 7.0.0-7.0.6 or 7.2.0-7.2.2, the latest of which was released in October 2022. However, CVE-2022–40684 was patched in FortiOS 7.2.2, so it remains a mystery how devices running this version were exploited.
Source: Bleeping Computer
Analysis
The disclosure of this information could severely impact organizations running the devices for which configuration details have been leaked. If their credentials haven’t been changed since 2022, threat actors may now have direct access to the internal networks of affected organizations, bypassing perimeter defenses. Once inside, they could move laterally, steal sensitive information, or deploy additional malware, such as ransomware.
Furthermore, the leaked configuration files may include network architecture details, firewall rules, and administrative credentials allowing a threat actor to map the victim’s network, identify vulnerabilities, and fine-tune its attacks for maximum impact.
Fortinet devices have a long history of vulnerabilities, many of which are exploited as zero-days. The widespread deployment of Fortinet devices, coupled with their frequent vulnerabilities, make them an attractive target for nation-state threat actors and cybercriminals alike.
This scenario is unlikely to change unless Fortinet significantly enhances its code review and proactive vulnerability discovery practices, similar to the program Ivanti implemented last year. Until then, organizations using, or contemplating using, Fortinet devices should strongly consider more secure alternatives.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats to devices and software, including those developed by Fortinet.
Field Effect MDR users are automatically notified if Fortinet software or devices in their environment are impacted by these threats and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that organizations rotate the administrative and VPN credentials of Fortinet devices if they haven’t done so since 2022. Additionally, they should ensure all Fortinet devices are running the latest firmware and thoroughly monitor for unusual activity, including unauthorized logins and lateral movement.
