Unknown group releases Fortinet config files and VPN passwords to the darknet
Complete config files and VPN passwords in plain text for Fortinet devices have been released by a new group. heise security takes a look at the data set.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
VPN access data and complete configuration files of thousands of FortiNet appliances have surfaced on the darknet, where a previously unknown attacker group is giving them away. The data is apparently not related to recently published vulnerabilities in the FortiOS appliance operating system. heise security had a first look at the data.
Usually, you'll get only small gifts in darknet forums: To prove their quality, underground traders will give out samples of their goods for free – a procedure that may have been copied from the legal data trading industry. But complete leaks of thousands of configuration and password files are not commonplace. A new entity called the "Belsen Group" has now given away over 15,000 data records that were apparently extracted from Fortinet firewalls via a security vulnerability.
heise security has obtained the data set and analyzed it superficially. It is a ZIP file with a total of 145 subdirectories, one for each country with affected devices. Most of the FortiNet configurations, namely 1603, were captured by the attackers in Mexico, 679 in the USA and 208 in Germany. Most of these IP addresses are in the Deutsche Telekom and Vodafone networks, but they also include other well-known Internet providers and hosters.
Fake data or real leak?
(Image:Â heise security / cku)
But is the data authentic or is the originator of the data leak trying to put himself in the limelight with fake configurations? We put it to the test and contacted one of those affected. The administrator's contact details were conveniently found in the configuration file, and the man from southern Germany confirmed to heise security that he administers a Fortinet firewall. And what's more: Based on the records in the admin's CMDB (Configuration Management Database), we were able to verify that the configuration and VPN passwords were stolen from his firewall in 2022.
The Fortinet admin, a longtime c't and iX reader, further confirmed that some of the plaintext passwords from the leak were correct – others had been changed in the meantime. Based on the tip from heise security, he also quickly switched off the web-based management console, which was still accessible from the Internet via IPv6.
Disable remote firewall access
Incidentally, this also applies to other devices from the data set: around fifty of the IP addresses mentioned were accessible, and in our spot checks we also came across accessible web interfaces. Together with the VPN passwords that were also leaked, attackers could thus penetrate the networks of those affected.
Many of the affected devices are apparently located in companies and medical practices, presumably maintained remotely by a system house. As the configuration files also contain all other authentication information such as admin passwords (albeit encrypted), SSH private keys and also encrypted WLAN passwords, they provide an ideal breeding ground for further cyberattacks.
Affected devices and firmware versions
During the further investigation, we cast the net wider to find out the age of the data. Our conversation with the affected admin pointed to the year 2022, which was confirmed by an analysis of the version statuses. Basically, each configuration file contained a reference to the device and its firmware and build version in the first line, which looked something like this: FWF61E-7.0.1-FW-build0157-210714.
Videos by heise
All devices were equipped with FortiOS 7.0.0-7.0.6 or 7.2.0-7.2.2, most of them with version 7.2.0. We found no FortiOS version in the data set that was younger than version 7.2.2, released on October 3, 2022. The build date coded in the last number block also points to the same date range: None of the firewall firmwares examined had been compiled after September 14, 2022.
As many as 80 different device types can be found in the data leak, with the FortiGate Firewall 40F and 60F being the most widespread. There are also WLAN gateways and devices for installation in the server rack as well as compact devices for the desk or broom cupboard.
Older data, but where from?
So the data was probably stolen in the fall of 2022, but where and how did the unknown attackers obtain the sensitive information? We can only speculate about this at the moment. One of the configuration files contains the line "Exploiting target: IP:Port", which indicates an exploit against each individual firewall. A central leak, for example at FortiNet itself, seems highly unlikely, as the manufacturer does not store the configuration files in its own cloud at all.
A connection with the recently published, sometimes critical security vulnerabilities in FortiNet products also appears to be ruled out. The available data is too old – if the attackers had sneaked onto the firewalls just a few days ago, they would have been able to steal more up-to-date information.
In the background discussion, experts from major network operators confirmed that they are already working closely with the BSI and other authorities to inform all affected customers and gather information about the attackers. Their motivation remains unclear, as does the origin of the data. The FortiNet press office, which we asked for a statement in the late morning of January 15, has also remained silent so far.
(cku)
