Hackers Exploit Fortigate 0-Day and Leaked 15,000+ Firewall Configs & Passwords
A hacking collective known as the “Belsen Group” has released over 15,000 unique FortiGate firewall configurations online. The data dump, reportedly obtained by exploiting a zero-day vulnerability in Fortinet’s systems back in October 2022, includes sensitive information such as usernames, passwords (some in plaintext), device management certificates, and complete firewall rules. The leaked data was […] The post Hackers Exploit Fortigate 0-Day and Leaked 15,000+ Firewall Configs & Passwords appeared first on Cyber Security News.
A hacking collective known as the “Belsen Group” has released over 15,000 unique FortiGate firewall configurations online.
The data dump, reportedly obtained by exploiting a zero-day vulnerability in Fortinet’s systems back in October 2022, includes sensitive information such as usernames, passwords (some in plaintext), device management certificates, and complete firewall rules.
The leaked data was made available for free on a dark web forum and appears to be authentic. Each folder in the dump is organized by country and contains subfolders named after IP addresses.
These folders house two critical files: config.conf, which holds the full configuration of the FortiGate device and vpn-users.txt, listing VPN credentials in plaintext.
Cybersecurity researcher Kevin Beaumont confirmed the leak’s legitimacy by cross-referencing serial numbers from the data with devices listed on Shodan, a search engine for internet-connected devices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Beaumont also verified that usernames and passwords from the dump matched details on compromised devices he analyzed during incident response efforts.
The Belsen Group claimed responsibility for this breach, marking it as their first major operation. Their announcement ominously stated that “2025 will be a fortunate year for the world,” suggesting further cyber campaigns may follow.
Exploitation of CVE-2022-40684
The breach traces back to CVE-2022-40684, a critical authentication bypass vulnerability in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products.
This flaw allowed attackers to bypass administrative authentication using specially crafted HTTP or HTTPS requests. The vulnerability was first disclosed by Fortinet in October 2022 and had a CVSS score of 9.8, making it highly critical.
At the time, Fortinet urged users to patch their systems immediately by upgrading to secure versions of their software. However, it appears that attackers exploited this flaw before many organizations could apply the patch.
The firmware versions affected by the critical Fortinet authentication bypass vulnerability, CVE-2022-40684, include the following:
- FortiOS:
- Versions 7.0.0 through 7.0.6
- Versions 7.2.0 through 7.2.1
- FortiProxy:
- Versions 7.0.0 through 7.0.6
- Version 7.2.0
- FortiSwitchManager:
- Versions 7.0.0 and 7.2.0
Recommended Firmware Updates
To mitigate the vulnerability, Fortinet recommends upgrading to the following secure versions:
- FortiOS: Version 7.2.2 or above, and version 7.0.7 or above.
- FortiProxy: Version 7.2.1 or above and version 7.0.7 or above.
- FortiSwitchManager: Version 7.2.1 or above, and version 7.0.1 or above
The leaked data suggests that configurations were exfiltrated in late 2022 but were only made public now over two years later.
The release of these configurations poses severe risks to affected organizations:
- Exposure of Credentials: Plaintext VPN credentials and usernames could allow attackers to gain unauthorized access to networks.
- Firewall Rules: Detailed firewall rules provide attackers with insights into network architecture and security policies.
- Device Certificates: Leaked certificates could facilitate man-in-the-middle attacks or other forms of impersonation.
- Persistent Threats: Even organizations that patched CVE-2022-40684 back in 2022 may still be vulnerable if their configurations were stolen before patching.
Security experts warn that this level of exposure could lead to widespread exploitation across both governmental and private sectors globally.
Kevin Beaumont has stated plans to publish a list of affected IP addresses so organizations can determine if they are impacted. Meanwhile, cybersecurity professionals stress the importance of proactive measures as attackers are likely already exploiting this treasure trove of data.
Organizations using Fortinet products must act swiftly to mitigate risks from this breach while remaining vigilant against future exploits targeting exposed configurations.
The post Hackers Exploit Fortigate 0-Day and Leaked 15,000+ Firewall Configs & Passwords appeared first on Cyber Security News.
