Recent events have highlighted a critical security disclosure involving Fortinet devices. A hacker group known as “Belsen Group” has leaked sensitive data allegedly associated with approximately 15,000 Fortinet firewalls. The leaked information includes highly sensitive details such as plaintext credentials, firewall configurations, and management certificates, raising significant concerns about the potential for unauthorized access and exploitation.
This incident not only underscores the importance of timely patching and proactive security measures but also serves as a stark reminder of the evolving sophistication of cyber threats. Organizations must prioritize robust monitoring and incident response capabilities to mitigate such risks and protect their assets.
What Happened?
Leaked Data
The attackers claim to have leaked IP addresses, plaintext credentials, and configurations from affected devices. Security researcher Kevin Beaumont has verified the authenticity of this information, which includes usernames, passwords, device management certificates, and firewall rules.
Vulnerability Details
The breach leverages CVE-2022-40684, a zero-day vulnerability disclosed in October 2022. Following its disclosure, a proof-of-concept exploit became widely available, leading to an increase in exploitation activities. Despite Fortinet’s urgent patching advisory, some devices remained unpatched, leaving them vulnerable to attacks.
Potential Impact
Although the leaked data is from 2022, unpatched systems, unchanged credentials, or misconfigured firewalls may still expose organizations to risk. Attackers could leverage the leaked information to compromise systems or establish persistent access.
How GoSecure Is Responding
At GoSecure, our team is:
- Monitoring Threat Intelligence: Continuously cross-referencing leaked IPs and credentials with our Managed Detection and Response (MXDR) platform to identify potential threats.
- Collaborating with Authorities: Working alongside security authorities and Fortinet to gather updates and provide actionable insights to our clients.
- Threat Hunting: Actively searching for indicators of compromise (IoCs) across client environments and escalating findings for immediate action.
Recommendations for Fortinet Users
To mitigate risk, we recommend taking the following steps:
Patch Your Systems
Ensure all Fortinet devices are running the latest firmware and security updates. CVE-2022-40684 has been patched, and updates should be applied without delay.
Change Credentials
Update all login credentials for Fortinet devices. If credentials have not been updated since October 2022, consider them compromised.
Review Configurations
Audit your firewall configurations to confirm no unauthorized changes have been made and that all rules align with your organization’s security policies.
Enable Continuous Monitoring
Set up robust monitoring of your Fortinet logs to detect suspicious activity. This is where advanced Managed Detection and Response services can make a difference.
Engage in Threat Hunting
Initiate internal incident response processes and threat-hunting activities to detect any persistence mechanisms or malicious activity within your network.
GoSecure Can Help
It’s more important than ever to have proactive defenses in place. GoSecure Titan® Managed Extended Detection & Response (MXDR) provides 24×7 monitoring, enabling us to ingest logs from your Fortinet devices into our SIEM to detect and mitigate threats in real time. Additionally, our GoSecure Titan® Managed Perimeter Defense (MPD) ensures your firewalls are always updated and optimized to protect against emerging vulnerabilities.
Next Steps
Our team is committed to keeping you informed as more information becomes available. If you would like assistance in securing your environment or implementing proactive measures, contact us today to learn how GoSecure’s services can enhance your organization’s security posture.
