Focus Mode
Info Data Leak

15,000 FortiGate Firewalls Exposed: Huge Leak of VPN Login Info

SecurityOnline
Victim: FortiGate Users | FortiGate
Price: N/A
Data: VPN Credentials, Firewall Configurations

Keypoints :

  • Threat Actor: Belsen Group
  • Number of Exposed Configurations: Over 15,000
  • Data Types Leaked: Usernames, passwords (some in plain text), device management certificates, complete firewall rule sets
  • Vulnerability Exploited: CVE-2022-40684
  • Data Organization: Categorized by country with individual IP addresses
  • Potential Risks: Unauthorized network access and exploitation of sensitive information
  • Expert Confirmation: Kevin Beaumont verified the authenticity of the leaked data
FortiGate Leak

Cybersecurity expert Kevin Beaumont has reported that over 15,000 FortiGate firewall configurations, including VPN credentials, have been publicly leaked by a group calling itself “Belsen Group.” This information includes usernames, passwords (some in plain text!), device management certificates, and even complete firewall rule sets.

Fortinet had previously warned in 2022 about a critical zero-day vulnerability (CVE-2022-40684) being actively exploited to target FortiGate firewalls. According to Beaumont, the leaked data appears to have been collected back in October 2022 using this vulnerability. He confirms, “Exploitation was indeed via CVE-2022–40684 based on artefacts on the device.”

The leaked data contains a comprehensive and highly sensitive trove of information:

  • Full firewall configurations: Including all device management digital certificates and firewall rules.
  • VPN credentials: Plaintext usernames and passwords, raising concerns about unauthorized network access.
  • Device-specific data: Such as unique serial numbers, which Beaumont verified using Shodan.
Source: Beaumont

What’s particularly concerning is the organization of the dump. It is categorized by country, with folders containing individual IP addresses. Each IP folder includes a full configuration file (config.conf) and a plaintext list of VPN user credentials (vpn-users.txt).

Beaumont confirms the severity of the situation, stating, “I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I’ve also been able to verify the usernames and password seen in the dump matches the details on the device.”

Kevin Beaumont emphasizes the seriousness of the situation: “Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released.”

This release of stolen data presents a unique challenge. Organizations that patched the vulnerability after exploitation might still have their configurations exposed, leaving them vulnerable to subsequent attacks.

FortiGate Leak
Source: @GossiTheDog

The group behind the leak is Belsen Group. The exact intent behind the leak remains unclear, but the consequences are undeniable: thousands of organizations are now at risk of network compromise and potential misuse of their sensitive information.

Related Posts:

[/hidden_content]

Original Source: https://securityonline.info/15000-fortigate-firewalls-exposed-massive-leak-includes-vpn-credentials/

Tags: VPN, ZERO-DAY, CVE, FIREWALL, PASSWORD, LEAK, VULNERABILITY