A significant data breach has come to light, with a newly formed threat group known as the Belsen Group leaking an extensive archive of sensitive information online. This leak, which encompasses 1.6GB of data, includes private credentials such as IP addresses and passwords from more than 15,000 FortiGate devices. The incident was reported on a dark web forum, where the group sought to gain notoriety and promote their operation.
The leaked data reportedly originates from a vulnerability exploited two years prior, specifically the CVE-2022–40684 flaw, which affected various versions of FortiOS. Security experts have indicated that this zero-day vulnerability allowed the attackers to extract crucial information from devices utilized across both governmental and private sectors. The Belsen Group claims to have organized the exposed data, categorizing targets by country to facilitate analysis for potential buyers or interested parties.
In an announcement on the forum, the group expressed pride in launching what they termed their first official operation, presenting the leak as a “gift” to the community. Despite the proactive marketing of the breach, experts have confirmed that the compromised data is not recent and has remained undisclosed since its extraction. Notably, the exploitation of the CVE-2022–40684 vulnerability has been validated by researchers who linked the data to actual incidents involving victim organizations.
Kevin Beaumont, a researcher, confirmed his involvement in an incident response concerning one of the affected devices, asserting that the exploitation was traceable to CVE-2022–40684. He also verified that the leaked usernames and passwords corresponded with those stored on the compromised devices, indicating a successful breach. The assembly of this data reportedly took place in October 2022, but it has only been released publicly now, over two years later.
The breach raises significant concerns regarding the security practices employed by organizations utilizing FortiGate technology. The lack of timely disclosure reinforces the importance of ongoing vigilance and proactive measures to mitigate the risks associated with such vulnerabilities. By leveraging the MITRE ATT&CK framework, it appears that tactics including initial access, credential dumping, and persistence may have been employed to facilitate the breach and subsequent data release.
The Belsen Group’s actions serve as a stark reminder of the heightened risk of cyber-attacks targeting sensitive organizational data in today’s digital landscape. Companies need to remain alert to emerging threats and vulnerabilities, ensuring robust cybersecurity measures are in place to protect against potential exploitation. The release of this data underpins the necessity for ongoing monitoring and security assessments in order to safeguard sensitive information from malicious actors.
