{"id":1632,"date":"2025-01-23T23:51:24","date_gmt":"2025-01-23T23:51:24","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1632"},"modified":"2025-01-23T23:51:24","modified_gmt":"2025-01-23T23:51:24","slug":"warning-to-fortigate-admins-you-need-to-run-a-compromise-assessment-now","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1632","title":{"rendered":"Warning to FortiGate admins: You need to run a compromise assessment now"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Network administrators with Fortinet\u2019s FortiGate next generation firewall in their IT environments are being warned to thoroughly scrutinize systems for possible compromise, following last week\u2019s dump of stolen configuration and VPN credentials by a threat actor.<\/p>\n

\u201cPatching is not enough,\u201d tweeted cybersecurity researcher Florian Roth<\/a> on Thursday. \u201cIf you take security seriously, you must run a compromise assessment to check whether the device and other systems in your network have already been breached.\u201d<\/p>\n

\u201cTreat this like the security incident it is,\u201d he added.<\/p>\n

The warning comes after Roth did an analysis of stolen FortiGate device configuration data released earlier this month by a threat actor calling itself the Belsen Group. That data, claimed to be config settings for 15,000 firewalls, would be of great value to hackers.<\/p>\n

After the gang posted the data, it was initially examined by researcher Kevin Beaumont,<\/a> who found it included IP addresses, plaintext device passwords, and some email addresses of users or their organizations. Among other questions this data dump raises is why admins allowed plaintext passwords to be stored in a config file.<\/p>\n

Roth grouped the email addresses by top level domain <\/a>to help CISOs and their equivalents to see if their organizations are impacted. However, he cautioned that some of the domains may just be those of free email services or service providers working for the actual victims.<\/p>\n

Beaumont said the data was stolen by a threat actor exploiting CVE-2022-40684<\/a>, a zero day authentication bypass using an alternate path in FortiOS. It could allow an unauthenticated attacker to perform operations through an administrator interface through specially crafted HTTP or HTTPS requests.<\/p>\n

According to Beaumont, last week\u2019s dump of data included usernames, passwords \u2014 some in plaintext \u2014 device management digital certificates, and all firewall rules.<\/p>\n

For its part, after the Belsen Group posted the stolen data last week, Fortinet said <\/a>the exposed data was captured from a 2022 vulnerability and aggregated to look like a new disclosure. \u201cOur analysis of the devices in question show that the majority have long since upgraded to newer versions,\u201d the company said.<\/p>\n

The list does not include any configurations for FortiOS 7.6 or 7.4 (the most recent versions of Fortinet\u2019s operating system), it noted, \u201cnor any recent configurations for 7.2 and 7.0.\u201d\u00a0<\/p>\n

\u201cIf your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization\u2019s current config or credential details being in the threat actor\u2019s disclosure is small,\u201d Fortinet said. \u201cWe continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture.<\/p>\n

\u201cWe can also confirm that devices purchased since December 2022 or devices which have only run FortiOS 7.2.2 or above are not impacted by the information disclosed by this threat actor.\u201d<\/p>\n

But, the manufacturer added, \u201cIf you were running an impacted version (7.0.6 and lower or 7.2.1 and lower) prior to November 2022 and did not already take the actions recommended in the [October 2022] advisory<\/a>, we strongly recommend reviewing the recommended actions to improve your security posture.\u201d<\/p>\n

Researchers at Censys think<\/a> just over 5,000 of the 15,000 compromised FortiGate devices are still exposing their web login interfaces.<\/p>\n

\u201cEven if you patched back in 2022,\u201d Beaumont wrote, \u201cyou may still have been exploited as the configs were dumped years ago and only just released \u2014 you probably want to find out when you patched this vuln. Having a full device config including all firewall rules is\u2026 a lot of information.\u201d<\/p>\n

While the data was apparently collected just over two years ago, it is unknown why it\u2019s being released now. In a post last week analyzing the dump, researchers at Censys noted<\/a> that the Belsen Group is new. It\u2019s possible that this threat actor recently bought or assembled the data now for sale from the original hacker(s).<\/p>\n

Censys also believes that, while action may have been taken by FortiGate admins two years ago, after the vulnerability was discovered, \u201cit is still relevant and capable of causing damage. Firewall configuration rules in particular tend to remain unchanged unless a specific security incident prompts an update. It\u2019s also fully possible, of course, that some of these firewalls have changed ownership in the interim, but such cases are also uncommon.\u201d<\/p>\n

The publication of this data means that threat actors have more material to work with for social engineering and account takeover, Randy Pargman, senior director of threat detection at Proofpoint, told CSO. \u201cThey can take the leaked passwords and, even assuming all have been changed, use the fact that people often use variations of the same password to guess probable passwords. Threat actors can also target email lures to people whose email addresses appear in the leak, using FortiGate themed lures leading to malware or phishing pages.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Network administrators with Fortinet\u2019s FortiGate next generation firewall in their IT environments are being warned to thoroughly scrutinize systems for possible compromise, following last week\u2019s dump of stolen configuration and VPN credentials by a threat actor. \u201cPatching is not enough,\u201d tweeted cybersecurity researcher Florian Roth on Thursday. \u201cIf you take security seriously, you must run […]<\/p>\n","protected":false},"author":0,"featured_media":1633,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1632"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1632"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1632\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1633"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}