TL;DR
- Over 15,000 FortiGate devices had their configurations, IPs, and VPN credentials leaked on the dark web by the “Belsen Group.”
- The leak stems from a 2022 zero-day exploit that allowed attackers to extract sensitive data before it was patched.
- The leaked files include plain text passwords, private keys, and firewall rules, posing serious risks if configurations haven’t been updated since 2022.
- Fortinet commands a significant market share (19.2% in mid-2024) and plans to drive growth with future firewall appliance upgrades despite a recent slight dip in share.
A hacking group named the “Belsen Group” has leaked configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices.
This data, now available on the dark web, exposes sensitive technical information to cybercriminals.
Details of the Leak
The Belsen Group, which emerged recently, announced their operation on a Tor website, stating:
“At the beginning of the year, and as a positive start for us, and in order to solidify the name of our group in your memory, we are proud to announce our first official operation: Will be published of sensitive data from over 15,000 targets worldwide (both governmental and private sectors) that have been hacked and their data extracted.”
The leaked data comprises a 1.6 GB archive organized by country, with subfolders for each FortiGate device’s IP address.
Each IP address folder contains a configuration file and a vpn-passwords.txt file, some of which include plain text passwords. These configurations also reveal private keys and firewall rules.
Cybersecurity expert Kevin Beaumont linked this leak to a 2022 zero-day vulnerability, CVE-2022–40684, exploited before a fix was released.
Also Read: Over 3 million mail servers exposed to sniffing attacks
Beaumont noted that the data appears to have been assembled in October 2022, during the zero-day vulnerability period, but was only released recently.
In 2022, Fortinet warned that threat actors were exploiting a zero-day tracked as CVE-2022–40684 to download config files from targeted FortiGate devices and then add a malicious super_admin account called ‘fortigate-tech-support’.
Although the data was collected in 2022, it still poses significant risks. Exposed information includes firewall rules and credentials. If you haven’t changed your credentials since then, it’s advisable to do so immediately.
Beaumont plans to release a list of the IP addresses involved, enabling FortiGate administrators to check if they’re affected.
FortiGate’s Market Position
Fortinet, the company behind FortiGate, holds a notable position in the global security appliance market.
In the second quarter of 2024, Fortinet occupied 19.2% of the market, down from over 21% a year earlier. Palo Alto Networks held 22.4% of the market during the same period.
Despite this slight decline, Fortinet remains optimistic about future growth. During an investor day in November 2024, the company outlined medium-term financial targets, anticipating a rebound in firewall appliance sales as customers upgrade in 2026.
They project a compound annual growth rate of 12% for both billings and revenue over the next three to five years.
