Fortinet-JHVEPhoto-Alamy

15K Fortinet Device Configs Leaked to the Dark Web

Share:

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that’s still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a “critical” 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre “Belsen Group” released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, “Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025.”

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

Possible Clues to Belsen Group’s Origins

“2025 will be a fortunate year for the world,” the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it’s in Ukraine’s annexed Crimea region.

Related:USPS Impersonators Tap Trust in PDFs in Smishing Attack Wave

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded “with high confidence” that it has been around for at least three years now, and that “They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet.”

What’s the Cyber-Risk?

The leaked listings contain two types of folders. The first, “config.conf,” contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization’s firewall rules. This data was stolen via CVE-2022-40684. In the other folder, “vpn-password.txt,” are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, “Having a full device config including all firewall rules is … a lot of information.” CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations’ internal network structures that may still apply today.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
12:33 am, Feb 12, 2025
weather icon 4°C
L: 3° | H: 5°
overcast clouds
Humidity: 91 %
Pressure: 1019 mb
Wind: 5 mph NNW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 6 km
Sunrise: 7:20 am
Sunset: 5:09 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 5°°C 0 mm 0% 5 mph 89 % 1021 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
3° | 6°°C 0 mm 0% 9 mph 87 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 81 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 6°°C 0 mm 0% 8 mph 85 % 1024 mb 0 mm/h
Sun Feb 16 9:00 pm
weather icon
4° | 8°°C 1 mm 100% 6 mph 95 % 1019 mb 0 mm/h
Today 3:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 89 % 1019 mb 0 mm/h
Today 6:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 79 % 1018 mb 0 mm/h
Today 9:00 am
weather icon
4° | 4°°C 0 mm 0% 3 mph 76 % 1019 mb 0 mm/h
Today 12:00 pm
weather icon
5° | 5°°C 0 mm 0% 3 mph 68 % 1019 mb 0 mm/h
Today 3:00 pm
weather icon
6° | 6°°C 0 mm 0% 3 mph 71 % 1019 mb 0 mm/h
Today 6:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 76 % 1020 mb 0 mm/h
Today 9:00 pm
weather icon
5° | 5°°C 0 mm 0% 5 mph 78 % 1021 mb 0 mm/h
Tomorrow 12:00 am
weather icon
3° | 3°°C 0 mm 0% 4 mph 87 % 1022 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€92,563.21
-1.97%
Ethereum(ETH)
€2,514.81
-2.70%
Tether(USDT)
€0.96
-0.03%
XRP(XRP)
€2.33
-0.91%
Solana(SOL)
€190.86
-1.86%
USDC(USDC)
€0.97
0.00%
Dogecoin(DOGE)
€0.244078
-1.66%
Shiba Inu(SHIB)
€0.000015
-1.27%
Pepe(PEPE)
€0.000010
-0.89%
Scroll to Top