Saturday, February 15, 2025
HomeCyber SecurityHackers leak configs and VPN credentials for 15,000 FortiGate units

Hackers leak configs and VPN credentials for 15,000 FortiGate units


Hackers leak configs and VPN credentials for 15,000 FortiGate units

A brand new hacking group has leaked the configuration recordsdata, IP addresses, and VPN credentials for over 15,000 FortiGate units free of charge on the darkish net, exposing an excessive amount of delicate technical data to different cybercriminals.

The info was leaked by the “Belsen Group,” a brand new hacking group first showing on social media and cybercrime boards this month. To advertise themselves, the Belsen Group has created a Tor web site the place they launched the FortiGate information dump free of charge for use by different menace actors.

“Initially of the yr, and as a constructive begin for us, and in an effort to solidify the identify of our group in your reminiscence, we’re proud to announce our first official operation: Might be revealed of delicate information from over 15,000 targets worldwide (each governmental and personal sectors) which have been hacked and their information extracted,” reads a hacking discussion board submit.

Post on hacking forum
Submit on hacking discussion board
Supply: BleepingComputer

The FortiGate leak consists of a 1.6 GB archive containing folders ordered by nation. Every folder incorporates additional subfolders for every FortiGate’s IP tackle in that nation.

IP address folder for FortiGate devices and their configs
IP tackle folder for FortiGate units and their configs
Supply: Beaumont

In response to cybersecurity knowledgeable Kevin Beaumont, every IP tackle has a configuration.conf (Fortigate config dump) and a vpn-passwords.txt file, with a few of the passwords in plain textual content. The configs additionally include delicate data, corresponding to non-public keys and firewall guidelines.

In a weblog submit in regards to the FortiGate leak, Beaumont says that the leak is believed to be linked to a 2022 zero-day tracked as CVE-2022–40684 that was exploited in assaults earlier than a repair was launched.

“I’ve performed incident response on one gadget at a sufferer org, and exploitation was certainly through CVE-2022–40684 based mostly on artefacts on the gadget. I’ve additionally been in a position to confirm the usernames and password seen within the dump matches the small print on the gadget,” explains Beaumont.

“The info seems to have been assembled in October 2022, as a zero day vuln. For some motive, the information dump of config has been launched at this time, simply over 2 years later.”

In 2022, Fortinet warned that menace actors had been exploiting a zero-day tracked as CVE-2022–40684 to obtain config recordsdata from focused FortiGate units after which add a malicious super_admin account known as ‘fortigate-tech-support’.

CVE-2022-40684 attack adding the rogue admin account
CVE-2022-40684 assault including the rogue admin account
Supply: Fortinet

German information web site Heise analyzed the information leak and in addition stated that it was gathered in 2022, with all units using FortiOS firmware 7.0.0-7.0.6 or 7.2.0-7.2.2.

“All units had been geared up with FortiOS 7.0.0-7.0.6 or 7.2.0-7.2.2, most with model 7.2.0. We didn’t discover any FortiOS model within the information trove that was newer than model 7.2.2, launched on October 3, 2022,” Heise reported.

Nevertheless, FortiOS 7.2.2 fastened the CVE-2022–40684 flaw, so it might be unclear how units working that model could possibly be exploited with this vulnerability.

Regardless that these configuration recordsdata had been collected in 2022, Beaumont warns that they nonetheless expose loads of delicate details about a community’s defenses.

This contains firewall guidelines and credentials that, if not modified on the time, needs to be modified instantly now that the information has been launched to a broader pool of menace actors.

Beaumont says that he plans to launch a listing of the IP addresses within the leak so FortiGate admins can know if the leak impacted them.

In 2021, a menace actor leaked nearly 500,000 Fortinet VPN credentials that had been collected utilizing the CVE-2018-13379 vulnerability.

BleepingComputer additionally reached out to each the menace actors and Fortinet with questions in regards to the leak and can replace the story if we obtain a response.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments