15.000 Fortigate configs released from Belsen Group
·692 words·4 mins·loading·loading·
Author
Andrea Marfella
Cyber Field Engineer
Table of ContentsTable of Contents
“2025 will be a fortunate year for the world.FortiGate 15K+ Targets (Configs+VPN Passwords)the biggest surprise: All this sensitive and crucial data is absolutely FREE, offered to you as a gift from the Belesn Group.#leak #Network #breachform #world”Original post on X
On January 14th, an hacker group named Belsen published the configuration data of over 15,000 FortiGate firewalls on BreachForums. According to initial analyses conducted by Kevin Beaumont, the data was allegedly stolen starting in 2022 by exploiting the vulnerability CVE-2022-40684.
The news has been confirmed by Fortinet itself, which released an article with its own analysis.
The published data includes the complete configurations of the firewalls and the plaintext credentials of VPN users. These data were organized by country and IP address. Among the information released, we also find:
IPs
Certificates
Password hases
VPN configurations
LAN information
Subnets
VLANs
DHCP leases
…
…
This is a rather serious breach, as anyone could exploit this information to attack the compromised networks.
Yeah, okay, but this data are two years old, and I’ve already patched all the systems—why should I care?
Yeah, okay, but this data are two years old, and I’ve already patched all the systems—why should I care?
Although the data is over two years old, it is likely that much of it is still relevant and potentially exploitable. According to an analysis by Censys.io (alternative to Shodan.io) out of the Censys.io (alternative to Shodan.io) out of the 15,469 unique listed IPs, a scan conducted on January 17 found that 8,469 IPs, or 54.75%, were still reachable. Of these, 5,086, or 32.88%, continue to expose the login page, primarily over HTTPS.
I’ve collected some statistics regarding the Italian IPs listed in the leak to better understand the current impact:
Total number of Italian IPs:: 333
VPN credentials with plaintext username and password: 1836 (!!!)
Ps still responding with a login page: 57, approximately 17%
Exposing the login page on the internet remains an unnecessary risk. For instance, the recent CVE-2024-55591 could allow authentication bypass on certain versions.
Other interesting statistics:
VPN site-site: 127
Number of passwords reused at least twice (weak/duplicate passwords): 216
he most used password is tied to 28 different accounts, and it’s not Password01, (though that was present in the leak too!) :)
PATCHING IS NOT ENOUGHThis event must be treated for what it is: a security incident .
First and foremost, I recommend checking at this link to see if any of your IPs are part of the leak. Additionally, verify the email domains extracted from the configurations at this link, as sensitive data related to service providers or third-party actors used in other attacks may be present.
The list of domains represents the email contact domains extracted from the configuration files. Some of these may belong to email providers or service providers working for the actual victims.
If you confirm that your organization has been impacted, there is only one effective path forward: conduct an assessment to verify whether other systems within your infrastructure have already been compromised.
Patching is crucial, but it’s not the only thing that matters. In situations like these, where a vulnerability has already been exploited to breach a system, additional remediation efforts are required.
No one is infallible, software is inherently vulnerable.
You must adopt a Defense in Depth approach. You can’t just strengthen the castle walls if the enemy is already inside.
If you don’t have a reason to expose the administration console of a service, just don’t. If it’s absolutely necessary, limit access to specific trusted IPs only.
If you have an exposed service, you need to at least double down on its protection effort.
