Adversary Intelligence
3
mins read

15K Fortigate Firewall Configs Leaked By Belsen Group: Dumped Using Zero-Day in 2022

Discover how the Belsen Group exploited a zero-day vulnerability in 2022 to leak over 15,000 Fortigate firewall configurations, exposing sensitive credentials, firewall rules, and management certificates. This high-impact cyber incident, detailed in our analysis, highlights the risks of authentication bypass vulnerabilities and offers crucial mitigation strategies, including credential updates, firewall audits, and certificate rotation. Stay informed and secure your network against evolving threats with actionable insights from this comprehensive report.

Koushik Pal
January 16, 2025
Green Alert
Last Update posted on
January 16, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Pavan Karthick M

Are You Impacted?

Please check your exposure from the list of IPs: https://pastebin.com/mffLfcLp

Analysis and Attribution

Background

Vulnerabilities in Fortigate devices are often used to obtain initial access to target organizations, often due to the nature of the device and an insecure codebase. Of late, their customers have been warned of a new zeroday in the wild, CVE-2024-55591- an authentication bypass using an alternate path or channel vulnerability. However, the relationship between threat actors and the fortigate zero-days goes way back.

In 2022, Fortigate had informed their customers about exploitation in the wild for CVE-2022-40684 -  another authentication bypass vulnerability that can be exploited using an alternate path or channel.2 days ago, someone leaked over 15k Fortigate firewall configurations on an english speaking hacking forum. 


Information from the Post

  • On 14 JANUARY 2025, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Belsen_Group” leaking configs obtained from over 15,000 Fortigate firewalls. 


Threat actor leaking configs from over 15k Fortigate firewalls on their onion website for free


  • IR engagements by researchers revealed that the threat actor most likely milked the exploit for CVE-2022-40684 by mass exploitation in 2022. Once they exhausted its use for themselves(either by selling or using the access), the threat actor(s) decided to leak it in 2025. 

  • This list was compiled in October 2022, likely when there wasn’t any CVE assigned to it.


  • The majority of the devices are 2 versions, from Fortigate 7.x devices and 7.2.x devices.

  • The leaked information includes

    • Usernames

    • Passwords (some in plain text)

    • Device management digital certificates

    • All firewall rules

  • Based on the available information, it can be ascertained with medium confidence that the threat actor used a zeroday exploit on Fortigate firewalls in 2022, followed by access brokering/mass exploitation, and subsequently leaking the data in 2025.


Note: CloudSEK has updated this blog with a link to the list of firewall IPs that were compromised. Organizations are recommended to check the blog for the list and ensure they have taken necessary response and mitigation steps.



Threat Actor Activity and Rating

Threat Actor Profiling

Active since

Jan 2025

Reputation

0

Current Status

ACTIVE

History

Belsen Group may seem new to the forums, but based on the data leaked by them, we can ascertain with high confidence that they’ve been around for at least 3 years now. They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet.

Rating 

High


Are You Impacted?

Please check your exposure from the list of IPs: https://pastebin.com/mffLfcLp

Geographical Breakdown of the compromised Fortigate firewalls

  • US, UK, Poland and Belgium lead the charts with over 20 victims in each country.

  • France, Spain, Malaysia, Netherlands,Thailand and Saudi Arabia follow the trail, with over 10 victims in each country.


Note: This visualization includes data from companies with multiple office locations. This data is collected by parsing the domains from the emails part of the credentials leaked by the threat actor. We have not used IP addresses of the firewalls for showcasing geographical distribution.


Impact

  • Compromised Credentials: Exposure of usernames and passwords (some in plaintext) enables attackers to directly access sensitive systems. Even if organizations patched this CVE in 2022 after the patch was released by Fortigate, they still need to check for signs of compromise, as this was a zeroday.

  • Firewall Rules Publicized: Leaking firewall configurations reveals internal network structures, potentially enabling attackers to bypass defenses.

  • Device Management Certificates: Breached digital certificates could allow unauthorized device access or impersonation in secure communications.

  • Prolonged Exploitation Risk: Organizations patched after the initial 2022 disclosure may still face risks due to pre-existing compromise during the vulnerability's active exploitation.


Mitigation

  • Change Credentials Immediately: Update all device and VPN credentials, prioritizing those listed in the dump. Use strong, unique passwords.

  • Audit and Reconfigure Firewalls: Review firewall rules for vulnerabilities introduced by public exposure and tighten access controls.

  • Rotate Certificates: Revoke and replace all exposed digital certificates to restore secure communications.

  • Incident Response and Forensics: Determine the exact patching timeline for CVE-2022–40684, conduct forensic analysis of potentially affected devices, and monitor for unusual activity.



References

Author

Koushik Pal

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

3

min read

15K Fortigate Firewall Configs Leaked By Belsen Group: Dumped Using Zero-Day in 2022

Discover how the Belsen Group exploited a zero-day vulnerability in 2022 to leak over 15,000 Fortigate firewall configurations, exposing sensitive credentials, firewall rules, and management certificates. This high-impact cyber incident, detailed in our analysis, highlights the risks of authentication bypass vulnerabilities and offers crucial mitigation strategies, including credential updates, firewall audits, and certificate rotation. Stay informed and secure your network against evolving threats with actionable insights from this comprehensive report.

Authors
Koushik Pal
Co-Authors
Pavan Karthick M

Are You Impacted?

Please check your exposure from the list of IPs: https://pastebin.com/mffLfcLp

Analysis and Attribution

Background

Vulnerabilities in Fortigate devices are often used to obtain initial access to target organizations, often due to the nature of the device and an insecure codebase. Of late, their customers have been warned of a new zeroday in the wild, CVE-2024-55591- an authentication bypass using an alternate path or channel vulnerability. However, the relationship between threat actors and the fortigate zero-days goes way back.

In 2022, Fortigate had informed their customers about exploitation in the wild for CVE-2022-40684 -  another authentication bypass vulnerability that can be exploited using an alternate path or channel.2 days ago, someone leaked over 15k Fortigate firewall configurations on an english speaking hacking forum. 


Information from the Post

  • On 14 JANUARY 2025, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Belsen_Group” leaking configs obtained from over 15,000 Fortigate firewalls. 


Threat actor leaking configs from over 15k Fortigate firewalls on their onion website for free


  • IR engagements by researchers revealed that the threat actor most likely milked the exploit for CVE-2022-40684 by mass exploitation in 2022. Once they exhausted its use for themselves(either by selling or using the access), the threat actor(s) decided to leak it in 2025. 

  • This list was compiled in October 2022, likely when there wasn’t any CVE assigned to it.


  • The majority of the devices are 2 versions, from Fortigate 7.x devices and 7.2.x devices.

  • The leaked information includes

    • Usernames

    • Passwords (some in plain text)

    • Device management digital certificates

    • All firewall rules

  • Based on the available information, it can be ascertained with medium confidence that the threat actor used a zeroday exploit on Fortigate firewalls in 2022, followed by access brokering/mass exploitation, and subsequently leaking the data in 2025.


Note: CloudSEK has updated this blog with a link to the list of firewall IPs that were compromised. Organizations are recommended to check the blog for the list and ensure they have taken necessary response and mitigation steps.



Threat Actor Activity and Rating

Threat Actor Profiling

Active since

Jan 2025

Reputation

0

Current Status

ACTIVE

History

Belsen Group may seem new to the forums, but based on the data leaked by them, we can ascertain with high confidence that they’ve been around for at least 3 years now. They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet.

Rating 

High


Are You Impacted?

Please check your exposure from the list of IPs: https://pastebin.com/mffLfcLp

Geographical Breakdown of the compromised Fortigate firewalls

  • US, UK, Poland and Belgium lead the charts with over 20 victims in each country.

  • France, Spain, Malaysia, Netherlands,Thailand and Saudi Arabia follow the trail, with over 10 victims in each country.


Note: This visualization includes data from companies with multiple office locations. This data is collected by parsing the domains from the emails part of the credentials leaked by the threat actor. We have not used IP addresses of the firewalls for showcasing geographical distribution.


Impact

  • Compromised Credentials: Exposure of usernames and passwords (some in plaintext) enables attackers to directly access sensitive systems. Even if organizations patched this CVE in 2022 after the patch was released by Fortigate, they still need to check for signs of compromise, as this was a zeroday.

  • Firewall Rules Publicized: Leaking firewall configurations reveals internal network structures, potentially enabling attackers to bypass defenses.

  • Device Management Certificates: Breached digital certificates could allow unauthorized device access or impersonation in secure communications.

  • Prolonged Exploitation Risk: Organizations patched after the initial 2022 disclosure may still face risks due to pre-existing compromise during the vulnerability's active exploitation.


Mitigation

  • Change Credentials Immediately: Update all device and VPN credentials, prioritizing those listed in the dump. Use strong, unique passwords.

  • Audit and Reconfigure Firewalls: Review firewall rules for vulnerabilities introduced by public exposure and tighten access controls.

  • Rotate Certificates: Revoke and replace all exposed digital certificates to restore secure communications.

  • Incident Response and Forensics: Determine the exact patching timeline for CVE-2022–40684, conduct forensic analysis of potentially affected devices, and monitor for unusual activity.



References