Dated configuration knowledge and digital personal community (VPN) credentials for 15,474 Fortinet gadgets have been posted without spending a dime to the Darkish Internet.
On Jan. 14, Fortinet disclosed a extreme authentication bypass vulnerability in its FortiOS working system and FortiProxy Internet gateway, CVE-2024-55591. For a mannequin of what the aftermath of such a vulnerability might appear like, one want solely look to a parallel bug from October 2022 that is nonetheless making waves in the present day.
Again then, Fortinet revealed an pressing safety warning concerning CVE-2022-40684, an equal authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Incomes a “crucial” 9.8 ranking within the Frequent Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to carry out administrative operations on weak gadgets by way of specifically crafted HTTP requests. Within the wake of that disclosure, safety researchers developed a proof-of-concept (PoC) exploit, a template for scanning for weak gadgets, and watched as exploitation makes an attempt climbed and climbed.
On the identical day CVE-2024-55591 was disclosed this week, a menace actor with the nom de guerre “Belsen Group” launched knowledge belonging to greater than 15,000 Fortinet gadgets. In a weblog publish, the CloudSEK researchers who noticed it assessed that the info had been stolen because of CVE-2022-40684, possible when that bug was nonetheless a zero-day. Now, they wrote, “As soon as they exhausted its use for themselves (both by promoting or utilizing the entry), the menace actor(s) determined to leak it in 2025.”
Potential Clues to Belsen Group’s Origins
“2025 might be a lucky 12 months for the world,” the Belsen Group wrote in its publish to the cybercrime website BreachForums (whereas conveniently omitting that its knowledge had been gathered greater than two years in the past). The 1.6GB file it dumped on its onion web site is accessible freed from cost, and arranged neatly in folders first by nation, then by IP handle and firewall port quantity.
Affected gadgets seem like unfold throughout each continent, with the best focus in Belgium, Poland, the US, and the UK, every with greater than 20 victims.
On the flip aspect, safety researcher Kevin Beaumont (aka GossiTheDog) famous in a weblog publish that each nation during which Fortinet has a presence is represented within the knowledge, besides one: Iran, although Shodan reveals practically 2,000 reachable Fortinet gadgets in that nation in the present day. Moreover, there is only one affected system within the entirety of Russia, and technically it is in Ukraine’s annexed Crimea area.
These factors of knowledge could also be unimportant, or they might maintain clues for attributing the Belsen Group. It seems to have popped up this month, although CloudSEK concluded “with excessive confidence” that it has been round for at the very least three years now, and that “They have been possible a part of a menace group that exploited a zero day in 2022, though direct affiliations haven’t been established but.”
What is the Cyber-Danger?
The leaked listings comprise two sorts of folders. The primary, “config.conf,” comprises affected system configurations: IP addresses, usernames and passwords, system administration certificates, and all the affected group’s firewall guidelines. This knowledge was stolen by way of CVE-2022-40684. Within the different folder, “vpn-password.txt,” are SSL-VPN credentials. In keeping with Fortinet, these credentials have been sourced from gadgets by way of a good older path traversal vulnerability, CVE-2018-13379.
Although the info is all somewhat aged by now, Beaumont wrote, “Having a full system config together with all firewall guidelines is … a variety of data.” CloudSEK, too, cited the chance that leaked firewall configurations can reveal details about organizations’ inner community buildings that will nonetheless apply in the present day.
Organizations additionally typically do not cycle out usernames and passwords, permitting outdated ones to proceed to trigger issues. In inspecting a tool included within the dump, Beaumont reported that the outdated authentications matched these nonetheless in use.
Fortinet, for its half, tried to quell considerations in a safety evaluation revealed on Jan. 16. “In case your group has persistently adhered to routine finest practices in commonly refreshing safety credentials and brought the advisable actions within the previous years, the chance of the group’s present config or credential element within the menace actor’s disclosure is small,” it defined.
