FortiGate config leaks: Victims' email addresses published online

Thousands of email addresses included in the Belsen Group's dump of FortiGate configs last week are now available online, revealing which organizations may have been impacted by the 2022 zero-day exploits.

Infosec expert Kevin Beaumont uploaded the IP and email addresses associated with the leaked FortiGate configs to GitHub, while fellow researcher Florian Roth separately extracted them and grouped them via top-level domains (TLDs).

Beaumont said the aim here was to provide defenders with the information they need to identify which organizations may have been impacted and require further investigation. However, not everyone will include their email addresses in config files, so the resource won't help every victim.

According to Roth's grouped data, a smidge under 5,000 organizations' domains were included, and may benefit from, Beaumont's publication.

However, onlookers in the security community, such as one Group-IB threat intelligence analyst, said the list isn't exhaustive and doesn't capture all the emails included in the leak.

The victim list that was published is truly global, however. A few simple CTRL+Fs reveal a selection of major, high-profile organizations are included, as well as a bevy of domains tied to governments around the world.

The Register contacted some of the more notable inclusions in the data for a response.

A reminder for those who missed last week's leak: A new band of baddies going by the name of The Belsen Group leaked around 15,000 FortiGate config files online. These were stolen during the 2022 zero-day exploitation of CVE-2022-40684.

Beaumont warned at the time that passwords, some of which were stored in plain text, were - in a portion of cases - also included in the leak, and naturally he withheld these from the data published this week.

Having an attacker in possession of an organization's firewall configs is not a desirable situation. With these, miscreants can identify weaknesses in networks that can be exploited for various types of attacks which could include data theft and backdoor implantation.

Fortinet confirmed The Belsen Group's leak was genuine and responded to the news by saying that most impacted organizations should be safe from any further exploitation provided they follow security best practices.

"If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization's current config or credential detail in the threat actor's disclosure is small," said the vendor.

"We continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture."

However, although many organizations should have taken action following the incident in 2022, Beaumont warned that among the leaked configs were also around 12,000 site-to-site IPsec VPN tunnel configurations. 

"So even if you weren't popped, the threat actor can pop up on your network," he wrote on Mastodon.

IPsec tunnels offer (supposedly) secure, encrypted remote access to organizations' different networks using gateway hardware, like Fortinet firewalls.

Should an attacker have the keys to these tunnels, they can feasibly join the internal networks of affected organizations and start rooting around for anything of interest.

• Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day
• Fortinet: FortiGate config leaks are genuine but misleading
• Japanese police claim China ran five-year cyberattack campaign targeting local orgs
• Never mind those Chinese spies: US Air Force picks Verizon for 35 base network upgrades

"I'm not sure people fully grasp the severity of this FortiGate config dump," Roth wrote. 

"Once a zero-day goes public and at least one threat actor has used it to exploit thousands of devices – and then a list of affected systems leaks – [it means] patching is not enough.

"If you take security seriously, you must run a compromise assessment to check whether the device and other systems in your network have already been breached."

The researcher advised organizations included in the list to check for any intrusion attempts, whether any secrets were stolen, and if a backdoor still remains.

"Treat this like the security incident it is," Roth warned. ®