Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684
Today, Belsen Group publicly released Fortigate firewall configs from just over 15k unique devices:
Kevin Beaumont (@GossiTheDog@cyberplace.social)
I have been able to verify this dump is real, as devices in it are listed on Shodan and share the same unique serial numbers:
The dump contains:
- Usernames
- Passwords (some in plain text)
- Device management digital certificates
- All firewall rules
I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I’ve also been able to verify the usernames and password seen in the dump matches the details on the device.
The data appears to have been assembled in October 2022, as a zero day vuln. For some reason, it has been released today, just over 2 years later.
The so what
Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released — you probably want to find out when you patched this vuln.
What next
I plan to publish the list of in scope IPs so orgs can assess if they are impacted. You should also make sure you patched for CVE-2022–40684 (although as mentioned, it may be a little late). If you are in scope, may need to change device credentials and assess risk of firewall rules being publicly available.
You can follow me on Mastodon at @gossithedog@cyberplace.social (https://cyberplace.social/invite/hHiX8ntL). Or not, the choice is yours.
2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. was originally
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: