Configuration files for 15,000 Fortinet firewalls leaked. Are yours among them?
A threat actor has leaked configuration files (aka configs) for over 15,000 Fortinet Fortigate firewalls and associated admin and user credentials.
The collection has been leaked on Monday and publicized on an underground forum by the threat actor that goes by “Belsen_Group”, supposedly as a free offering to solidify the name of the group in the forum users’ memory.
The leaked 1.6 GB archive contains folders ordered by country, and inside each are folders named after IP addresses. Inside those are full configuration files and a txt file with a list of admin and VPN user credentials.
“Most of the FortiNet configurations, namely 1603, were captured by the attackers in Mexico, 679 in the USA and 208 in Germany,” German news outlet Heise Online revealed.
Many of the affected devices are apparently located in companies and medical practices, they found. “As many as 80 different device types can be found in the data leak, with the FortiGate Firewall 40F and 60F being the most widespread. There are also WLAN gateways and devices for installation in the server rack as well as compact devices for the desk or broom cupboard.”
What to do?
According to several researchers, the archive with the stolen config files dates back to October 2022, and it’s believed that the attackers exploited an authentication bypass FortiOS vulnerability – CVE-2022–40684 – to assemble it.
“I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I’ve also been able to verify the usernames and password seen in the dump matches the details on the device,” security researcher Kevin Beaumont shared.
CloudSEK researchers have downloaded the archive and have compiled the list of IP addresses that organizations can use to check whether their devices are among those that were affected.
“Exposure of usernames and passwords (some in plaintext) enables attackers to directly access sensitive systems. Even if organizations patched this CVE in 2022 after the patch was released by Fortigate, they still need to check for signs of compromise, as this was a zero-day,” the researchers noted.
Firewall rules can reveal internal network structures, potentially enabling attackers to bypass defenses, they added. “Breached digital certificates could allow unauthorized device access or impersonation in secure communications.”
They have advised organizations to update all device and VPN credentials, review firewall rules for exploitable weaknesses and tighten access controls, revoke and replace all exposed digital certificates to restore secure communications and, finally, do a forensic investigation to check whether the devices have been or are still compromised.
They posit that the Belsen Group has used the leaked information themselves or sold it on to other attackers prior to leaking it.
“Belsen Group may seem new to the forums, but based on the data leaked by them, we can ascertain with high confidence that they’ve been around for at least 3 years now. They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet,” they concluded.
UPDATE (January 17, 2025, 08:45 a.m. ET):
According to Fortinet, it’s “highly likely” that the leaked data was obtained by leveraging CVE-2022-40684 to achieve initial access to targeted devices, and CVE-2018-13379 to extract sensitive data from them.
“The threat actor has leaked data obtained in dated campaigns that has been aggregated to appear like a new disclosure. Our analysis of the devices in question show that the majority have long since upgraded to newer versions,” the company said.
“Whilst this data is several years old and the IP addresses have been observed to no longer be relevant in many cases, we will be reaching out to any customers, where identified, to recommend to review configurations.”
Beaumont has analyzed the leaked data, which covers 15,474 FortiOS devices, and found that the majority of the data is related to “SMBs using telco or business leased line services,” but there is some associated with large companies and governments.
Conspicuously missing is data related to devices in Iran and Russia, he also pointed out.
UPDATE (January 23, 2025, 10:20 a.m. ET):
Beaumont has listed the IP and email addresses extracted from the leaked configs, and security researcher Florian Roth has sorted the associated domains by TLD.
“Some of these domains may just be the domains of free email services or services providers working for the actual victims,” Roth noted, but both list can come handy to those organizations that have added a corporate email address to the config files.
“One other side effect of the FortiGate config incident is there’s several thousand site to site IPsec VPN configs allowing you to straight up join to the internal network of large orgs,” Beaumont added. “So even if you weren’t popped, the threat actor can pop up on your network.”