Data from 15,000 FortiGate firewalls leaked on dark web

Hackers have posted configuration and login credentials for 15,000 Fortinet FortiGate firewalls on the dark web. This is older data not linked to a recent security breach.

It’s not a good week for security specialist for Fortinet. Barely a day after the company itself reported on a security flaw in its FortiGate firewalls, a database of leaked data from those same devices surfaced. The data in question was captured in 2022 and thus is not linked to the most recent leak.

The database contains data from as many as 15,000 FortiGate devices. It includes configuration data, as well as IP addresses and VPN login information. That combination can give hacxkers free access to companies’ networks.

Mexico

German newspaper Heise sifted through the data and found that the bulk of affected devices came from Mexico (1,603) and the United States (679). But the leak also impacts European companies. 208 of the affected firewalls come from Germany. There is no mention of other countries.

For a database of this size to be shared for free in one fell swoop is highly unusual. Hackers usually only share a “test sample” of leaked data to prove the authenticity of the data. The grouping Belsen Group is believed to be behind the leak, according to Bleeping Computer. This is a new name in the hacker world that may want to put itself in the spotlight with this action.

Old data

The data was most likely captured in 2022 or earlier. In October 2022, Fortinet rolled out the FortiOS 7.2.2 patch for its firewalls to close a security vulnerability that was being actively exploited at the time. Experts suspect that that vulnerability (CVE-2022-40684) was exploited to steal data. The firewalls in the database were running on older versions of the operating system.