January 17, 2025 at 11:42AM

■■■■■ Zero-Day | Fortinet: Members of a new hacker group have leaked configuration files, IP addresses, and VPN credentials for more than 15,000 FortiGate devices, making them available to the cyber underground for free.

The Belsen Group, which announced the leak, first appeared on networks and forums this month.

To promote their Belsen Group brand, the hackers created a Tor site where they published a dump of FortiGate data.

The FortiGate leak is a 1.6GB archive with folders organized by country. Each folder contains additional subfolders for each FortiGate IP address in a specific country.

According to researcher Kevin Beaumont, each IP address has a configuration.conf and vpn-passwords.txt, which contains some passwords in plaintext.

Configurations also contain sensitive information such as private keys and firewall rules.

The leak appears to be related to the 2022 0-day, tracked as CVE-2022-40684, which was used in attacks before a patch was released.

Bomond compared the results of a previous investigation of one of the incidents related to CVE-2022-40684 and was able to verify that the usernames and passwords indicated in the dump corresponded to the data on a previously studied compromised device.

Then in 2022, Fortinet warned of attackers exploiting zero, CVE-2022–40684, to download configuration files from targeted FortiGate devices and then add a malicious super_admin account called “fortigate-tech-support.”

Representatives of the German publication Heise also analyzed the leak and came to the conclusion that it was compiled in 2022, with all devices using FortiOS firmware 7.0.0-7.0.6 or 7.2.0-7.2.2, most using version 7.2.0.

However, the researchers warn that despite the fact that these configuration files were collected in 2022, they reveal a significant amount of sensitive information, including firewall rules and some current credentials.

This leak certainly doesn’t compare to 2021’s, when hackers leaked nearly 500,000 Fortinet VPN credentials using CVE-2018-13379, but it certainly warrants attention and possibly a response.