Full Report
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from January. Threat actor of the month: Funksec ransomware “Funksec ransomware” is a threat group active at least since […] The post Threat Context monthly: Executive intelligence briefing for January 2025 appeared first on Outpost24.
Analysis Summary
# Incident Report: FortiGate Firewall Data Leak via CVE-2022-40684 Exploitation
## Executive Summary
A threat group known as "Belsen Group" publicly leaked sensitive configuration data for over 15,000 FortiGate firewalls on a breach forum on January 14, 2025. The compromised data, which included VPN credentials and device configurations, originated from compromises dating back to 2022 through the exploitation of the critical FortiGate authentication bypass vulnerability, CVE-2022-40684. While initially posted for free, the data was later monetized, highlighting continuing risks from unpatched legacy vulnerabilities.
## Incident Details
- Discovery Date: January 14, 2025 (Date of public announcement/leak)
- Incident Date: Compromises date back to 2022 (when CVE-2022-40684 was actively exploited)
- Affected Organization: Organizations utilizing vulnerable FortiGate firewalls (Majority SMBs using leased line services).
- Sector: Various (Specific sectors not detailed, but likely spanning many relying on SMB infrastructure)
- Geography: Global (Data organized by country)
## Timeline of Events
### Initial Access
- Date/Time: Circa 2022
- Vector: Exploitation of FortiGate Firewalls (CVE-2022-40684)
- Details: Attackers exploited a zero-day authentication bypass vulnerability in FortiGate firewalls to gain unauthorized access.
### Lateral Movement
- Details: Not explicitly detailed, but access to device configurations and VPN credentials implies successful reconnaissance and initial network mapping.
### Data Exfiltration/Impact
- Date/Time: Leak published January 14, 2025
- Details: Sensitive data leaked, including plain text VPN credentials, device configurations, and IP addresses for over 15,000 firewalls. Data was initially released for free on BreachForums, later moved to TOR DLS, and then made available for a "nominal fee of 100 USDT."
### Detection & Response
- Date/Time: Identified shortly after the January 14, 2025 leak.
- Details: Security researchers analyzed the leaked data, linking it back to the 2022 0-day exploitation. Subsequent scans indicated that over 54% of affected devices remain online, indicating ongoing risk. (No specific official organizational response actions were mentioned, only researcher analysis).
## Attack Methodology
- Initial Access: Exploitation of **CVE-2022-40684** (Authentication Bypass 0-day in FortiGate appliances).
- Persistence: Implied to involve maintaining access gained via the initial exploitation (details unclear).
- Privilege Escalation: Not specified, but obtaining configurations and VPN credentials suggests elevated access was achieved.
- Defense Evasion: Not specified, as the technique was a 0-day exploitation.
- Credential Access: **Direct theft** of **VPN credentials** found within the configuration files.
- Discovery: Analysis of leaked data shows IP addresses and configurations were gathered/mapped.
- Lateral Movement: Not specified.
- Collection: Gathering of **device configurations** and **VPN credentials**.
- Exfiltration: Data was packaged and announced via **BreachForums** and sold/distributed via a **TOR DLS**.
- Impact: Exposure of network infrastructure details and remote access credentials.
## Impact Assessment
- Financial: Potential downstream costs from subsequent compromises utilizing the leaked credentials; Belsen Group sought financial gain (100 USDT fee).
- Data Breach: Plain text VPN credentials, device configurations, and IP addresses for >15,000 FortiGate firewalls.
- Operational: Risk to organizations whose firewalls were compromised, potentially leading to network disruption or further intrusions.
- Reputational: Negative impact on users of FortiGate firewalls due to long-term exposure of credentials.
## Indicators of Compromise
- Network indicators: External IP addresses associated with the reported 15,000+ FortiGate devices (Specific IPs defanged and not listed here).
- File indicators: Leaked configuration files and credential dumps.
- Behavioral indicators: Unauthenticated access attempts or session establishment on vulnerable FortiGate endpoints using leaked credentials.
## Response Actions
- Containment measures: Researchers noted that 54.75% of affected devices remain online, indicating widespread need for immediate patching/reconfiguration.
- Eradication steps: Organizations must invalidate and reissue all compromised VPN credentials and configurations.
- Recovery actions: Patching/upgrading all FortiGate appliances to mitigate risks associated with CVE-2022-40684.
## Lessons Learned
- Legacy Vulnerabilities Pose Long-Term Risk: A vulnerability exploited in 2022 was still actively compromising systems and leading to data leaks years later, emphasizing the critical nature of timely patching, even for older CVEs.
- Credential Security: Storing plain-text VPN credentials within configurations represents a severe security control failure when combined with an RCE/Auth Bypass vulnerability.
- Threat Actor Motivation Shift: Belsen Group's move from free leakage to charging a nominal fee suggests adaptability in threat actor monetization strategies.
## Recommendations
- Immediately audit all network perimeter devices, especially legacy hardware, for known critical vulnerabilities.
- For all networking hardware storing sensitive access information (like VPN credentials), enforce strong secrecy measures (encryption or removal of plain-text credentials from configuration backups/exports).
- Conduct proactive internal/external vulnerability scanning to ensure all internet-facing devices are patched against known critical vulnerabilities (like CVE-2022-40684).