A new hacking group named the Belsen Group has leaked sensitive data from over 15,000 FortiGate devices, exposing vital technical details such as configuration files, IP addresses, and VPN credentials. The group, which emerged this month, posted the data on a Tor website, offering it freely to other cybercriminals. The leak includes a 1.6 GB archive containing folders organized by country, with each folder listing IP addresses, configuration files, and VPN passwords. Some of these passwords are in plain text, further increasing the severity of the exposure.
Cybersecurity expert Kevin Beaumont identified that the leaked data is linked to a 2022 zero-day vulnerability, CVE-2022–40684, which was exploited by threat actors before a patch was released. Beaumont confirmed that some of the leaked data matched information he had found during incident responses on compromised devices. This leak represents the result of two years of exploitation, with Belsen Group now releasing the data to a wider audience. The vulnerability allowed attackers to download config files from FortiGate devices and create malicious super_admin accounts, enhancing the attackers’ control over the devices.
The leak primarily involves devices running FortiOS versions 7.0.0-7.0.6 or 7.2.0-7.2.2, versions
The leak primarily involves devices running FortiOS versions 7.0.0-7.0.6 or 7.2.0-7.2.2, versions that were vulnerable to the CVE-2022–40684 flaw. While Fortinet patched the flaw with the release of FortiOS 7.2.2 in October 2022, many affected devices likely did not upgrade, leaving them susceptible to further exploitation. Even though the data was collected in 2022, the leak remains dangerous as it exposes critical firewall configurations, network credentials, and VPN passwords. Beaumont has warned administrators of FortiGate devices to change their credentials if they were affected by this leak.
The release of this data is a reminder of the ongoing risk posed by zero-day vulnerabilities and the importance of timely patching. While FortiOS version 7.2.2 addresses the CVE-2022–40684 flaw, devices running older versions remain vulnerable. Beaumont has promised to release a list of impacted IP addresses to help administrators identify whether they were affected. This incident follows a similar leak from 2021, when nearly 500,000 Fortinet VPN credentials were exposed due to an older vulnerability, further illustrating the persistent threats targeting FortiGate devices.
Reference:
