A newly formed hacking group, the Belsen Group, has released a trove of sensitive data from more than 15,000 FortiGate devices, exposing organisations worldwide to potential cyberattacks. The leaked dataset, totalling 1.6 GB, was shared on the dark web through a website hosted on the Tor network. FortiGate devices, developed by Fortinet, are enterprise-grade firewalls designed to provide robust network security, VPN functionality, and traffic filtering. Widely used in both government and private sector networks, these devices play a critical role in protecting infrastructure, making the breach a significant concern for cybersecurity experts.
The Belsen Group, which emerged this month, announced the leak as its first major operation. The group claimed in a forum post that the breach affected entities across both the public and private sectors and released the data to bolster its profile within the cybercrime community.
Leaked data organised by country, packed with sensitive details
The leak is organised by country, with folders containing subdirectories for each device’s IP address. Each folder includes a full configuration file labelled “config.conf,” plaintext VPN credentials in “vpn-passwords.txt,” and other sensitive details such as usernames, private keys, and firewall rules. Kevin Beaumont, a cybersecurity researcher, has verified the authenticity of the data, confirming it matches details from known affected devices.
The leaked configuration files expose not only the firewall rules used to protect networks but also device management certificates, which could enable attackers to impersonate legitimate systems. In addition, the availability of usernames and passwords in plaintext could allow unauthorised access if the credentials were not updated after the vulnerability was exploited.
Beaumont linked the breach to a previously exploited zero-day vulnerability, CVE-2022–40684, which allowed attackers to download configuration files from FortiGate devices. He reported that the data appears to have been collected in October 2022, during the active exploitation of the vulnerability. “The data appears to have been assembled in October 2022. For some reason, the data dump of configuration files has been released today, just over two years later,” Beaumont wrote in a blog post.
In 2022, Fortinet warned that attackers had used CVE-2022–40684 to extract configuration files and create unauthorised super admin accounts under the name “fortigate-tech-support.” Devices running FortiOS versions 7.0.0 through 7.0.6 or 7.2.0 through 7.2.2 were vulnerable at the time. German news outlet Heise also confirmed that the leaked data includes no devices running firmware versions newer than 7.2.2, which patched the vulnerability in October 2022.
Although Fortinet addressed the vulnerability more than two years ago, Beaumont highlighted that the information in the leaked files remains sensitive. The configuration data includes critical details about network defences, which could still be exploited if credentials and firewall rules were not updated after the initial breach. He advised organisations using FortiGate devices to review their security postures and verify whether they were affected.
Beaumont plans to release a list of the leaked IP addresses to assist organisations in assessing their exposure. This incident follows a similar breach in 2021, when attackers leaked nearly 500,000 Fortinet VPN credentials obtained through CVE-2018–13379.
Read more: Chinese cybercriminals exploiting Fortinet vulnerability – Google Mandiant
