Configuration files for 15,000 Fortinet firewalls leaked. Are yours among them?
A threat actor has leaked configuration files (aka configs) for over 15,000 Fortinet Fortigate firewalls and associated admin and user credentials.
The collection has been leaked on Monday and publicized on an underground forum by the threat actor that goes by “Belsen_Group”, supposedly as a free offering to solidify the name of the group in the forum users’ memory.
The leaked 1.6 GB archive contains folders ordered by country, and inside each are folders named after IP addresses. Inside those are full configuration files and a txt file with a list of admin and VPN user credentials.
“Most of the FortiNet configurations, namely 1603, were captured by the attackers in Mexico, 679 in the USA and 208 in Germany,” German news outlet Heise Online revealed.
Many of the affected devices are apparently located in companies and medical practices, they found. “As many as 80 different device types can be found in the data leak, with the FortiGate Firewall 40F and 60F being the most widespread. There are also WLAN gateways and devices for installation in the server rack as well as compact devices for the desk or broom cupboard.”
What to do?
According to several researchers, the archive with the stolen config files dates back to October 2022, and it’s believed that the attackers exploited an authentication bypass FortiOS vulnerability – CVE-2022–40684 – to assemble it.
“I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I’ve also been able to verify the usernames and password seen in the dump matches the details on the device,” security researcher Kevin Beaumont shared.
CloudSEK researchers have downloaded the archive and have compiled the list of IP addresses that organizations can use to check whether their devices are among those that were affected.
“Exposure of usernames and passwords (some in plaintext) enables attackers to directly access sensitive systems. Even if organizations patched this CVE in 2022 after the patch was released by Fortigate, they still need to check for signs of compromise, as this was a zero-day,” the researchers noted.
Firewall rules can reveal internal network structures, potentially enabling attackers to bypass defenses, they added. “Breached digital certificates could allow unauthorized device access or impersonation in secure communications.”
They have advised organizations to update all device and VPN credentials, review firewall rules for exploitable weaknesses and tighten access controls, revoke and replace all exposed digital certificates to restore secure communications and, finally, do a forensic investigation to check whether the devices have been or are still compromised.
They posit that the Belsen Group has used the leaked information themselves or sold it on to other attackers prior to leaking it.
“Belsen Group may seem new to the forums, but based on the data leaked by them, we can ascertain with high confidence that they’ve been around for at least 3 years now. They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet,” they concluded.