🚀 لقد رفعت CloudSek جولة B1 من السلسلة B1 بقيمة 19 مليون دولار - تعزيز مستقبل الأمن السيبراني التنبؤي
اقرأ المزيد
هل أنت متأثر؟
يرجى التحقق من تعرضك من قائمة عناوين IP: https://pastebin.com/mffLfcLp
Analysis and Attribution
Background
Vulnerabilities in Fortigate devices are often used to obtain initial access to target organizations, often due to the nature of the device and an insecure codebase. Of late, their customers have been warned of a new zeroday in the wild, CVE-2024-55591- an authentication bypass using an alternate path or channel vulnerability. However, the relationship between threat actors and the fortigate zero-days goes way back.
In 2022, Fortigate had informed their customers about exploitation in the wild for CVE-2022-40684 - another authentication bypass vulnerability that can be exploited using an alternate path or channel.2 days ago, someone leaked over 15k Fortigate firewall configurations on an english speaking hacking forum.
Information from the Post
On 14 JANUARY 2025, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor with the moniker “Belsen_Group” leaking configs obtained from over 15,000 Fortigate firewalls.
Threat actor leaking configs from over 15k Fortigate firewalls on their onion website for free
IR engagements by researchers revealed that the threat actor most likely milked the exploit for CVE-2022-40684 by mass exploitation in 2022. Once they exhausted its use for themselves(either by selling or using the access), the threat actor(s) decided to leak it in 2025.
This list was compiled in October 2022, likely when there wasn’t any CVE assigned to it.
The majority of the devices are 2 versions, from Fortigate 7.x devices and 7.2.x devices.
The leaked information includes
Usernames
Passwords (some in plain text)
Device management digital certificates
All firewall rules
Based on the available information, it can be ascertained with medium confidence that the threat actor used a zeroday exploit on Fortigate firewalls in 2022, followed by access brokering/mass exploitation, and subsequently leaking the data in 2025.
Threat Actor Activity and Rating
Are You Impacted?
Please check your exposure from the list of IPs: https://pastebin.com/mffLfcLp
Geographical Breakdown of the compromised Fortigate firewalls
US, UK, Poland and Belgium lead the charts with over 20 victims in each country.
France, Spain, Malaysia, Netherlands,Thailand and Saudi Arabia follow the trail, with over 10 victims in each country.
Impact
Compromised Credentials: Exposure of usernames and passwords (some in plaintext) enables attackers to directly access sensitive systems. Even if organizations patched this CVE in 2022 after the patch was released by Fortigate, they still need to check for signs of compromise, as this was a zeroday.
Firewall Rules Publicized: Leaking firewall configurations reveals internal network structures, potentially enabling attackers to bypass defenses.
Device Management Certificates: Breached digital certificates could allow unauthorized device access or impersonation in secure communications.
Prolonged Exploitation Risk: Organizations patched after the initial 2022 disclosure may still face risks due to pre-existing compromise during the vulnerability's active exploitation.
Mitigation
Change Credentials Immediately: Update all device and VPN credentials, prioritizing those listed in the dump. Use strong, unique passwords.
Audit and Reconfigure Firewalls: Review firewall rules for vulnerabilities introduced by public exposure and tighten access controls.
Rotate Certificates: Revoke and replace all exposed digital certificates to restore secure communications.
Incident Response and Forensics: Determine the exact patching timeline for CVE-2022–40684, conduct forensic analysis of potentially affected devices, and monitor for unusual activity.
