Belsen Group, a new threat actor, is targeting Fortinet FortiGate devices to extract and sell sensitive data. Initially distributing this data for free, they have shifted to a monetized model and are expanding their operations to sell network access. This group poses a significant risk to various sectors, having leaked information from thousands of users globally. Affected: Fortinet devices, corporations in finance, technology, defense, various economic sectors.
Keypoints :
- “Belsen Group” specializes in compromising Fortinet FortiGate firewalls.
- Originally, the group distributed stolen data for free to gain notoriety.
- They have transitioned to selling sensitive data for financial gain.
- Belsen Group published a leak affecting over 15,000 FortiGate firewalls, including credentials and configurations.
- The leaked data affects over 158,000 users across 145 countries.
- The group is linked to the exploited vulnerability CVE-2022-40684.
- They are now acting as initial access brokers, selling network access to high-profile organizations.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The group exploited application layer protocols to extract sensitive data from compromised Fortinet devices.
- T1588.001 – Information Gathering: Belsen Group gathered information from the compromised devices before offering it for distribution.
- T1566.001 – Spear Phishing Link: They used social media platforms to promote their malicious activities and available sales.
- T1071.002 – Application Layer Protocol: They utilized different communication platforms for coordinating and managing their sales of data and network access.
- T1598.001 – Exposure of Sensitive Information: Their operations directly involve the leaking of sensitive information from Fortinet devices.
Indicator of Compromise :
- No IoC Found
Full Story: https://outpost24.com/blog/belsen-group-threat-group/