Hacking group leaks Fortinet users’ details on dark web

Details from more than 15,000 devices exposed

Image:
Hacking group leaks Fortinet users’ details on dark web

Hackers calling themselves Belsen Group have leaked details of users of Fortinet firewalls on the dark web.

Researcher Kevin Beaumont, who has reviewed the data dump, says he believes it to be genuine, since devices in the published data are listed on the Shodan search engine and share the same unique serial numbers.

A list of 15,474 IP addresses associated with the leak has been published on GitHub by researcher Amram Englander, who advises affected organisations to check their patch history for CVE-2022-40684, a 2022 zero-day vulnerability in Fortinet affecting FortiOS, FortiProxy and FortiSwitchManager that was known to have been actively exploited. They should also change their device credentials and assess the exposure of firewall rules and mitigate risks, Englander says in a post on LinkedIn.

The vulnerability affects FortiOS: 7.2.0, 7.2.1, and 7.0.0 to 7.0.6; FortiProxy: 7.2.0 and 7.0.0 to 7.0.6; and FortiSwitchManager 7.2.0 and 7.0.0.

According to Beaumont the leaked data appears to date from October 2022 and includes usernames, passwords (some in plain text), device management digital certificates and all firewall rules.

Information such as passwords, SSH keys and LAN passwords could be used by hackers to launch further attacks.

While the data may be two years old, many of the affected versions are still in use in organisations and are accessible online.

According to Heise Security, many of the affected devices are “located in companies and medical practices, presumably maintained remotely by a system house”.

The security firm contacted an administrator based in Germany whose details were found in the data dump, who confirmed that he was indeed the admin of Fortinet firewall, adding credence to the authenticity of the data.

Little is known of the Belsen Group, who may be named after the Nazi concentration camp in the Second World War. According to BleepingComputer, the group posted the following message on a hacking forum: "At the beginning of the year, and as a positive start for us, and in order to solidify the name of our group in your memory, we are proud to announce our first official operation: Will be published of sensitive data from over 15,000 targets worldwide (both governmental and private sectors) that have been hacked and their data extracted."

Earlier this week Fortinet warned of another zero-day vulnerability CVE-2024-55591 that may have been under attack since December 2024.