Cybersecurity expert Kevin Beaumont has reported that over 15,000 FortiGate firewall configurations, including VPN credentials, have been publicly leaked by a group calling itself “Belsen Group.” This information includes usernames, passwords (some in plain text!), device management certificates, and even complete firewall rule sets.
Fortinet had previously warned in 2022 about a critical zero-day vulnerability (CVE-2022-40684) being actively exploited to target FortiGate firewalls. According to Beaumont, the leaked data appears to have been collected back in October 2022 using this vulnerability. He confirms, “Exploitation was indeed via CVE-2022–40684 based on artefacts on the device.”
The leaked data contains a comprehensive and highly sensitive trove of information:
- Full firewall configurations: Including all device management digital certificates and firewall rules.
- VPN credentials: Plaintext usernames and passwords, raising concerns about unauthorized network access.
- Device-specific data: Such as unique serial numbers, which Beaumont verified using Shodan.
What’s particularly concerning is the organization of the dump. It is categorized by country, with folders containing individual IP addresses. Each IP folder includes a full configuration file (config.conf) and a plaintext list of VPN user credentials (vpn-users.txt).
Beaumont confirms the severity of the situation, stating, “I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I’ve also been able to verify the usernames and password seen in the dump matches the details on the device.”
Kevin Beaumont emphasizes the seriousness of the situation: “Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released.”
This release of stolen data presents a unique challenge. Organizations that patched the vulnerability after exploitation might still have their configurations exposed, leaving them vulnerable to subsequent attacks.
The group behind the leak is Belsen Group. The exact intent behind the leak remains unclear, but the consequences are undeniable: thousands of organizations are now at risk of network compromise and potential misuse of their sensitive information.
Related Posts:
- Hackers Aim at Vulnerable WebLogic Servers
- Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
- Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
- PoC Releases for 0-day CVE-2024-21762 FortiGate SSLVPN Flaw, Over 133K Remain Vulnerable
- CVE-2023-27997: Fortinet FortiGate SSL VPN Pre-Auth RCE Vulnerability
