15,000+ FortiGate firewall configurations leaked by Belsen Group

A new leak from the threat actor group Belsen Group has exposed over 15,000 FortiGate firewall configurations. The data has been released for free on the attackers’ Tor website, allowing other threat actors to exploit it.

The data consists of a 1.6GB archive categorized by country and IP address, includes configuration dumps, firewall rules, private keys, and VPN passwords, some stored in plain text.  Countries most impacted include the U.S., U.K., Poland and Belgium, followed by France, Spain, Malaysia, the Netherlands, Thailand and Saudi Arabia.

The Belsen Group claims the leaked data was collected in 2022 using a zero-day vulnerability, CVE-2022–40684, which was exploited to steal device configurations and add rogue administrative accounts. Even if organizations patched the vulnerability from 2022, attackers may have already gained access before mitigation efforts. Breached digital certificates could enable unauthorized access or impersonation during secure communications. To mitigate risks, organizations should update credentials, audit firewall configurations, rotate compromised certificates and monitor networks for suspicious activity.