Fortinet: FortiGate config leaks are genuine but misleading
Competition hots up with Ivanti over who can have the worst start to a year
Fortinet has confirmed that previous analyses of records leaked by the Belsen Group are indeed genuine FortiGate configs stolen during a zero-day raid in 2022.
The leaked data includes IP addresses, configurations (including firewall rules), and passwords – some of which were in plain text, according to infosec watcher Kevin Beaumont, who first covered Belsen's data dump.
Beaumont also said the leak appeared to contain files related to around 15,000 Fortinet devices, organized by country of origin. The vendor didn't comment on the scale of the incident.
It did say, however, that the Belsen Group – named after the Bergen-Belsen concentration camp, if you wanted a flavor of this group's character – was passing off the leak as a brand-new feat when in fact the records were taken years earlier, but only just now released this week.
Digging deeper, Beaumont found that the majority of victims were small and medium businesses, with a smattering of larger ones too, and a small number of unidentified governments.
"Every country which has in-scope Fortinet products are visible in the data, except for one – Iran," he added.
"In Iran, no configuration dumps at all are present in this dataset, despite Shodan showing almost two thousand devices with management interfaces or SSL VPN exposed."
Only one victim was identified in Russia, located in Crimea – a disputed territory.
"It is unknown why these countries are missing from the released data," he said.
Nevertheless, the researcher advised customers to be vigilant of possible exploitation, even if they patched back in 2022. If patches were applied after October 2022, when CVE-2022–40684 was exploited as a zero-day, then there could still be a chance that their configs were lifted.
Fortinet's take was a little more light-touch, confirming the majority of devices affected by the vulnerability have since been patched.
"If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization's current config or credential detail in the threat actor's disclosure is small," it said on Thursday.
"We continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture.
- Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used
- China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer
- Fortinet patches VPN app flaw that could give rogue users, malware a privilege boost
- Thousands of Fortinet instances vulnerable to actively exploited flaw
"We can also confirm that devices purchased since December 2022 or devices which have only run FortiOS 7.2.2 or above are not impacted by the information disclosed by this threat actor.
"If you were running an impacted version (7.0.6 and lower or 7.2.1 and lower) prior to November 2022 and did not already take the actions recommended in the advisory, we strongly recommend reviewing the recommended actions to improve your security posture."
The vendor also said it would be proactively contacting customers who might still be at risk.
"If you are in scope, you may need to change device credentials and assess risk of firewall rules being publicly available," Beaumont added.
One thing after another
It hasn't been an ideal start to 2025 for Fortinet (2024 wasn't great either), with news of another possible zero-day exploitation campaign emerging mere days ago.
Arctic Wolf Labs told The Register the campaign appeared to start in early December and end toward the end of the month.
Although the point of intrusion in these attacks hasn't been linked to a specific vulnerability, nor has it been assigned a CVE identifier, the vendor's lead threat intel researcher, Stefan Hostetler, said it's "highly probable" that a zero-day was involved.
"While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected," said Hostetler and colleagues.
The intrusions were made via Fortinet's FortiGate firewalls whose versions ranged between 7.0.14, which was released in February 2024, and 7.0.16, released in October 2024.
Expect further reporting on this as details emerge. ®