A new group, Belsen Group, claim to have released Fortigate configs for 15k firewalls.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 07:59:04 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 08:17:11 JST
Kevin Beaumont
The ZIP contains a folder for each IP address, inside is config.conf (Fortigate full config dump) and vpn-passwords.txt.
The Fortigate config data appears legit - they're unique - and it looks like a very serious cyber incident is going to play out. Some align to Shodan.
All the configs appear to come from Fortigate 7.x devices, so this is probably the latest zero day Fortinet didn't tell people about.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 08:52:52 JST
Kevin Beaumont
In terms of validity, you can directly match up devices between the IPs and config.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 08:59:53 JST
Kevin Beaumont
A small number of the devices are on Fortigate 7.2, versions from late 2022 - which tends to blow the recent CVE out of the water as that's not supposed to be impacted.
I've confirmed one of the usernames and passwords with one of the victims a friend works at. Impacted orgs are going to need to change local SSL VPN passwords, admin passwords etc.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 09:08:48 JST
Kevin Beaumont
If anybody wonders if it's related to this prior Fortigate SSL VPN dump: https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/
I don't think so. The configs run to a year later version size, and the IP addresses in that dump don't align with this dump.
-
Embed this notice
G0rb (g0rb@infosec.exchange)'s status on Thursday, 16-Jan-2025 09:17:34 JST 
G0rb
@GossiTheDog could be older stuff https://www.heise.de/en/news/Unknown-group-releases-Fortinet-config-files-and-VPN-passwords-to-the-darknet-10244238.html
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 09:26:15 JST
Kevin Beaumont
The other thing to mention is the prior dump was via CVE-2018-13379. These devices, based on the config dumps, are largely running versions which were long ago patched for that.
So what = later vuln.
-
Embed this notice
Chester Wisniewski (chetwisniewski@securitycafe.ca)'s status on Thursday, 16-Jan-2025 09:29:00 JST 
Chester Wisniewski
@GossiTheDog 0-day confirmed https://www.csoonline.com/article/3802722/fortinet-confirms-zero-day-flaw-used-in-attacks-against-its-firewalls.html
-
Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Thursday, 16-Jan-2025 09:31:43 JST 
Dan Goodin
Do you have a link to the dump?
-
Embed this notice
Gonçalo Ribeiro (goncalor@infosec.exchange)'s status on Thursday, 16-Jan-2025 09:33:21 JST 
Gonçalo Ribeiro
@GossiTheDog can you share the list of directory names? (i.e. IPs and ports)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 09:45:49 JST
Kevin Beaumont
Off to bed now, plan for later on tomorrow is to publish the impacted IPs so orgs have a chance to know if they're in scope.
The last time somebody did this, it was a ransomware group as basically a freebie to attract operators.
Regarding 'the data's old':
a) the version numbers run up to 2 years ago, that's not very old
b) many of the devices are still online and reachable
c) there's data in the dump which has not been published before as far as I can see, along with device configs
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 10:05:07 JST
Kevin Beaumont
One final update - did some IR on an impacted device, it looks like CVE-2022-40684 based on artefacts left behind.
-
Embed this notice
Chester Wisniewski (chetwisniewski@securitycafe.ca)'s status on Thursday, 16-Jan-2025 10:05:28 JST
Chester Wisniewski
@GossiTheDog Are they Fortiproxy? That was affected.
-
Embed this notice
Fellows (fellows@cyberplace.social)'s status on Thursday, 16-Jan-2025 10:24:48 JST 
Fellows
@GossiTheDog thanks for this Kevin, I have passed the info around to some MSPs I have friends working at.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 10:28:37 JST
Kevin Beaumont
1.30am bloggo I wrote
Everything I know about the Fortigate config dump situation
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 10:39:43 JST
Kevin Beaumont
Also, Belsen was a exchange camp, where Jewish hostages were held with the intention of exchanging them for German prisoners of war held overseas.
-
Embed this notice
Emme (emme@cyberplace.social)'s status on Thursday, 16-Jan-2025 14:52:59 JST 
Emme
@GossiTheDog can you share a zip file out of onion?
-
Embed this notice
Bpopson (bpopson@cyberplace.social)'s status on Thursday, 16-Jan-2025 18:19:21 JST
Bpopson
They apparently took down the TOR site a few hours ago. I was trying to download so we could do notifications to entities affected in our AOR.
-
Embed this notice
0XFEE (0xfee@cyberplace.social)'s status on Thursday, 16-Jan-2025 18:53:33 JST
0XFEE
@GossiTheDog Server down :(
-
Embed this notice
umuteren1995 (umuteren1995@cyberplace.social)'s status on Thursday, 16-Jan-2025 18:57:36 JST
umuteren1995
Hello everyone, onion page looks like removed. Atleast, is there anyway to compare IP addresses?
-
Embed this notice
Saan V (saanv@infosec.exchange)'s status on Thursday, 16-Jan-2025 19:27:37 JST 
Saan V
@elementalsitservices @emme @GossiTheDog
Kudos to Amran Englander - he published the full IP list here to verify if you're on it : https://github.com/arsolutioner/fortigate-belsen-leak/blob/main/affected_ips.txt
-
Embed this notice
elementalsitservices (elementalsitservices@cyberplace.social)'s status on Thursday, 16-Jan-2025 19:27:42 JST
elementalsitservices
@emme @GossiTheDog
that would be great - am also running a few forti boxes in austria and the provider ip might have changed so it would be hard to verify only on this information -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 19:31:16 JST
Kevin Beaumont
GitHub repo with the FortiGate config dump IPs. If you’re on this list, you need an incident to rotate creds etc.
https://github.com/arsolutioner/fortigate-belsen-leak/blob/main/affected_ips.txt
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 16-Jan-2025 20:08:06 JST
Kevin Beaumont
Here's how the data was organised, by country (Australia and UAE love Forti).
The data appears to have been assembled for release starting on the 11th, based on the modified dates.
-
Embed this notice
Neil Craig (tdp_org@mastodon.social)'s status on Thursday, 16-Jan-2025 21:47:44 JST 
Neil Craig
@GossiTheDog Thanks for sharing this.
We just checked for our IP ranges (nothing in there) but one of my colleagues grouped the IPs in the repo by AS - funnily enough, a good number of the top few are AS from which we frequently see DDOS traffic against our services. Perhaps suggests a lack of care & maintenance on their part & that the DDOS are likely from/via compromised kit. Not a major surprise. -
Embed this notice
Tobias Fiebig (tfiebig@wybt.net)'s status on Thursday, 16-Jan-2025 21:47:44 JST 
Tobias Fiebig
@tdp_org @GossiTheDog I find the absence of, e.g., 3320 in that list a bit odd.
-
Embed this notice
MemoryLeech (cyberleech@cyberplace.social)'s status on Thursday, 16-Jan-2025 22:00:27 JST 
MemoryLeech
Thanks for all of this, as ever. Wondering if anyone pulled all of this down and re-uploaded the full dataset anywhere as the original appears to be down?
-
Embed this notice
dollarey (dollarey@cyberplace.social)'s status on Thursday, 16-Jan-2025 22:09:22 JST
dollarey
@GossiTheDog any devices belonging to Maldives?
-
Embed this notice
DrSix (drsix@cyberplace.social)'s status on Thursday, 16-Jan-2025 22:23:02 JST
DrSix
@GossiTheDog Thanks for the github list. Company network blocks Tor ;)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 17-Jan-2025 00:01:01 JST
Kevin Beaumont
Plan for later today is release an Excel file with IPs, reverse DNS, ASN org names and numbers, country etc so orgs can better surface their exposure. Will post here and update blog post.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 17-Jan-2025 00:05:23 JST
Kevin Beaumont
Also, in terms of data validity - I have an automated process scraping HTTP requests for serial numbers and comparing to serial numbers in config files for same IPs: it's legit, they match.
-
Embed this notice
Dr. Christopher Kunz (christopherkunz@chaos.social)'s status on Friday, 17-Jan-2025 00:12:29 JST 
Dr. Christopher Kunz
@GossiTheDog I read half a VPN password aloud to a victim on the phone, they completed the other half. They're *definitely* legit. They also seem to be mostly cleartext, even those not looking like cleartext?
-
Embed this notice
rng342908023490981 (rng342908023490981@cyberplace.social)'s status on Friday, 17-Jan-2025 00:31:27 JST
rng342908023490981
The dirty secret is that the default encryption key on Fortigate firewalls is shared across ALL Fortigates (and a couple other platforms) and has been compromised for a long time. So if you haven't set up your own key through enabling the private-data-encryption feature, you too can have your passwords cracked and exposed to the Internet.
Follow the hardening docs and don't forget this step:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-private-data-encryption-feature-on-a/ta-p/339071 -
Embed this notice
encasitacov19 (encasitacov19@cyberplace.social)'s status on Friday, 17-Jan-2025 02:07:09 JST
encasitacov19
@GossiTheDog can do share the file ?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 17-Jan-2025 04:18:26 JST
Kevin Beaumont
Updated my blog on the Fortigate situation (at the bottom).
Nothing particularly interesting.Also, the blog has pretty significant traffic, just looked at the numbers - but less than 4% from Twitter. That would have been unthinkable a few years ago.
-
Embed this notice
malte.nyanbinary (malte@fosstodon.org)'s status on Friday, 17-Jan-2025 07:29:00 JST 
malte.nyanbinary
@GossiTheDog json instead of xlsx & no country code but: Already includes the IP->AS#, AS Name & reverse DNS(ish) mapping: https://gitlab.com/-/snippets/4795884
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 17-Jan-2025 18:41:30 JST
Kevin Beaumont
FortiGate have a blog out: https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
It’s essentially the same as my blog - but in corporate 🤣
It plays heavily on the ‘this is old data’ angle and says you’ll be fine as long as you rotated credentials. Sure, somebody obtained all your firewall rules.. but that’s okay.. right. ✅
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 23-Jan-2025 03:50:30 JST
Kevin Beaumont
To help defenders find their impacted orgs in the Fortigate configuration dump incident, here's all emails mentioned - Ctrl+F for yourself.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 23-Jan-2025 04:08:08 JST
Kevin Beaumont
Also, one of the things I've seen mentioned about this dump (including by Fortigate, bizarrely) is 'old IPs, none of these are live'.
Tip: remotegw-ddns feature. Fortinet even offer dynamic DNS as a service so the IPs float by design. A lot of them are hanging off that.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 23-Jan-2025 06:12:31 JST
Kevin Beaumont
One other side effect of the FortiGate config incident is there’s several thousand site to site IPsec VPN configs allowing you to straight up join to the internal network of large orgs.
So even if you weren’t popped, the threat actor can pop up on your network.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 23-Jan-2025 06:42:02 JST
Kevin Beaumont
If anybody is wondering:
$ cat */*/* | grep -c "ike-version"
1191711.9k IPsec VPN tunnels (some orgs have lots).
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Feb-2025 01:57:19 JST
Kevin Beaumont
Belsen Group are back and can spell their own group name now.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Feb-2025 02:00:33 JST
Kevin Beaumont
This is what they're trying to sell, they're also trying to sell the original dump for some reason. #threatintel
-
Embed this notice
All GNU social JP content and data are available under the