Threat actor publishes data of 15K hacked FortiGate firewalls

A threat actor known as the "Belsen Group" claimed on Tuesday that it published IP addresses, configurations and passwords belonging to more than 15,000 compromised Fortinet FortiGate firewall instances.

The threat actor published the data to a dark web hacking forum this week "in order to solidify the name of our group in your memory," according to the forum post. The sensitive data belonged to more than 15,000 government and private-sector targets that had allegedly suffered compromise via their FortiGate firewalls.

It's unclear how the threat actor acquired the data or if the entire set is authentic; the Belsen Group is a new threat actor not previously known to security researchers and vendors.

However, longtime security researcher and practitioner Kevin Beaumont published a post to his Medium blog Wednesday about the leak. He wrote that he has "been able to verify this dump is real, as devices in it are listed on Shodan and share the same unique serial numbers." Beaumont said the dump also contained device management digital certificates and "all firewall rules," as well as some passwords in plaintext.

Beaumont said that based on one device at a victim organization where he conducted incident response, he assessed exploitation occurred via CVE-2022-40684, a critical authentication bypass zero-day vulnerability. The flaw, which was first disclosed in October 2022, affects Fortinet hardware operating system FortiOS, secure web proxy FortiProxy and ethernet switch management tool FortiSwitch Manager. Beaumont said the leaked data was assembled that same month, despite being published two years later.

In a blog post on Thursday, Caitlin Condon, director of vulnerability intelligence at Rapid7, also said some of the leaked data appeared to stem from the 2022 zero-day attacks. "After conducting our own outreach to potentially affected organizations, Rapid7 has also confirmed that at least some of the leaked data originated from 2022 incidents where customer firewalls were compromised," she wrote. "Based on Beaumont's analysis and observations from our own investigations, it's likely that the data dump published by the threat actor contains primarily or entirely older data."

Zero-day vulnerabilities and attacks have become a common occurrence for Fortinet in recent years, as the vendor's products have become popular targets for both cybercriminals and nation-state threat actors.

Earlier this week, Fortinet disclosed a critical authentication bypass vulnerability in FortiOS and FortiProxy (CVE-2024-55591) that has seen exploitation in the wild. In November, Volexity reported that a Chinese state-sponsored actor exploited a then-undisclosed Fortinet vulnerability, despite the issue being reported to Fortinet in July. And in October, Mandiant published research reporting that a critical vulnerability, tracked as CVE-2024-47575, disclosed earlier that week had been exploited since at least late June.

Fortinet did not respond to Informa TechTarget's request for comment.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.