Hi, anyone noticed this post on x? https://x.com/BelsenGroup/status/1879217666067730671
allegedly 15000 configurations and VPN passwords were stolen from FortiGates
https://github.com/arsolutioner/fortigate-belsen-leak Here you go guys
I don’t have access to the data, my colleagues are still downloading, but a German IT news portal wrote that all data is from FortiOS 7.0.0-7.0.6 or 7.2.0-7.2.2. The data might be stolen 2022.
You should be able to translate the article with Google translate Darknet: Konfigurationen und VPN-Passwörter von Fortinet-Geräten aufgetaucht | heise online
it looks the leak was data from 2022.
Exported configs was always from “Local_Process_Access” which refers to the following article:
https://www.fortiguard.com/psirt/FG-IR-22-377
Config files sometimes have a very old firmware:
#config-version=FGT60E-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access
#config-version=FG1HEF-7.0.6-FW-build0366-220606:opmode=0:vdom=0:user=Local_Process_Access
Kevin Beaumont intends to release a list of the affected IP addresses.
Seems a list of emails have been released and I also managed to finally download the file ironically.
https://www.swisstransfer.com/d/a0696ee7-a4b7-46ad-bb2a-f3b682d75f81
if someone already downloaded can you please share?
Official response from FTNT out now. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
I’ve updated the leaked list with AS and GeoIP information here:
It breaks down by country to this:
cut -d',' -f6 master.txt | sort | uniq -c | sort -rn | head -25
1081 AE
816 MX
723 TH
710 MY
677 US
670 BR
550 AU
530 CO
498 DO
440 NL
429 SA
407 FR
396 PL
391 ES
347 IL
330 IT
279 EG
278 AR
252 AT
243 IN
240 BE
237 SG
226 GB
205 DE
198 CA
From what I understand, the hash of the VPN password isnt valid on another device correct?
We use 7.0 and dont have/never had Admin publicly available, but I’ve read that sanitizing configs is pretty worthless since the hash in the config cant be used on another device and/or cannot be reversed to display the VPN keys.
Anyone want to open that tor link and see whats in there?
I hope Forti is busily downloading the data and preparing to reach out to affected customers.
Anyone’s download finish?
https://github.com/arsolutioner/fortigate-belsen-leak/tree/main
Someone already listed the ip’s.
The affected IPs available here:
Hope who ever has the file can share it here. Im stuck at 20% and it looks like its down again
Can anybody share the zip?
anyone downloaded the file? Thanks!
Anyone downloaded the file?
has anyone download the zip, please share via pm
I have attempted to download a couple of times unsuccessfully, however, I pulled the incomplete zip contents and wrote a crude python parser. This should help make sense of some of this data in a way that helps people understand if they are affected more quickly. - This script has the ability to keyword search the entire dump’s configs and credentials. If someone out there can make it better, please do!
https://github.com/CriticalWombat/Belsen-Dump-Tool/tree/main