Fortinet FortiGate Firewall Data Leak: Belsen Group Exploits CVE-2022-40684 Vulnerability

Executive Summary: The Belsen Group, a newly identified hacking entity, has leaked configuration data and VPN credentials for over 15,000 Fortinet FortiGate firewalls on the dark web. This data, obtained from a compromise dating back to 2022, was made public on January 15, 2025. The initial compromise is linked to CVE-2022-40684, an authentication bypass vulnerability. The leak poses significant risks to sectors such as government, healthcare, and financial services, with affected devices notably present in Mexico, Thailand, and the U.S.

Incident Overview: The Belsen Group leaked sensitive configuration data and VPN credentials for over 15,000 Fortinet FortiGate firewalls. The data, which includes plaintext credentials, was reportedly obtained from a compromise dating back to 2022. The leak was made public on January 15, 2025, and has been confirmed by multiple sources to be genuine, though the data itself is over two years old.

Attack Vector Analysis: The initial compromise of the Fortinet data is linked to CVE-2022-40684, an authentication bypass vulnerability disclosed in October 2022. This vulnerability allowed attackers to bypass authentication mechanisms and gain unauthorized access to FortiGate firewalls. The data was reportedly assembled in October 2022, and despite being over two years old, it remains relevant due to the static nature of firewall configurations unless prompted by specific security incidents [https://censys.com/fortigate-config-leak-impact/].

Specific Malware and Tools Identified: While the specific malware used in the attack was not detailed in the sources, the exploitation of CVE-2022-40684 itself served as the primary tool for gaining unauthorized access. The vulnerability allowed attackers to execute arbitrary commands on the affected devices, leading to the extraction of sensitive configuration data and credentials [https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/].

Historical Context of Threat Actor Activities: The Belsen Group is a new entity in the cyber threat landscape, having joined a hacking forum on January 3, 2025. There is limited historical data on their activities prior to this incident. However, the use of a known vulnerability from 2022 suggests a strategic approach to exploiting unpatched systems, a common tactic among cybercriminal groups [https://censys.com/fortigate-config-leak-impact/].

Sector-Specific Targeting Patterns: The leaked data poses significant risks to various sectors, including government, healthcare, and financial services, which heavily rely on Fortinet's network security solutions. The exposure of firewall configurations and credentials could allow unauthorized access to sensitive networks, leading to potential data breaches and operational disruptions. The geographical distribution of affected devices includes significant numbers in Mexico, Thailand, and the U.S., with a notable presence on the UniNet network [https://censys.com/fortigate-config-leak-impact/].

Technical Details Mapped to the MITRE ATT&CK Framework: - Initial Access (T1190): Exploitation of CVE-2022-40684, an authentication bypass vulnerability, aligns with the MITRE ATT&CK technique for exploiting public-facing applications. - Credential Access (T1552): The extraction of plaintext VPN credentials from the compromised firewalls. - Impact (T1496): The potential for data breaches and operational disruptions due to unauthorized access to network configurations.

Mitigation Recommendations: - Critical: Organizations should immediately update their FortiGate firewall configurations and VPN credentials. Applying patches for CVE-2022-40684 and the newly disclosed CVE-2024-55591 is crucial to mitigate further risks. - High: Implementing multi-factor authentication (MFA) for all user accounts is recommended to enhance security [https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/].

Conclusion: The Fortinet data leak by Belsen Group underscores the persistent challenges in securing network infrastructure against sophisticated cyber threats. Organizations must remain vigilant and proactive in applying security patches and monitoring for unauthorized access to mitigate the risks associated with such data breaches. The incident highlights the importance of addressing known vulnerabilities promptly to prevent exploitation by threat actors.

At Rescana, we are dedicated to assisting our customers in navigating the complex landscape of cybersecurity threats. Our Continuous Third Party Risk Management platform is designed to provide comprehensive threat intelligence and vulnerability management solutions. We are committed to helping you protect your organization from potential threats and vulnerabilities.