Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.
On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that’s still making waves today.
Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a “critical” 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.
On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre “Belsen Group” released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, “Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025.”
Possible Clues to Belsen Group’s Origins
“2025 will be a fortunate year for the world,” the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.
Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.
On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it’s in Ukraine’s annexed Crimea region.
These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded “with high confidence” that it has been around for at least three years now, and that “They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet.”
What’s the Cyber-Risk?
The leaked listings contain two types of folders. The first, “config.conf,” contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization’s firewall rules. This data was stolen via CVE-2022-40684. In the other folder, “vpn-password.txt,” are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.
Though the data is all rather aged by now, Beaumont wrote, “Having a full device config including all firewall rules is … a lot of information.” CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations’ internal network structures that may still apply today.
Organizations also often don’t cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.
Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. “If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor’s disclosure is small,” it explained.
