In a significant cybersecurity incident, a newly identified hacking group called Belsen Group has leaked critical configuration files along with virtual private network (VPN) details for roughly 15,000 firewall devices manufactured by Fortinet. This leak has caught the attention of independent security researcher Kevin Beaumont, who revealed on January 15 through Mastodon that sensitive information from the devices was accessible on the dark web. Beaumont attributes the leak to Belsen Group, a hacking entity that has recently surfaced on social media and cybercrime forums around January 2025.
The Scope of the Leak
Details of the Compromised Data
The data dump includes multiple sensitive components such as FortiGate usernames, passwords (some of which were exposed in plain text), device management digital certificates, and firewall rules. Both Beaumont and CloudSEK researcher Koushik Pal have noted that many of the compromised devices are running FortiGate 7.0.x and 7.2.x versions of the software. This extensive leak has raised alarms within the cybersecurity community, emphasizing the need for immediate action by affected organizations. The exposure of plain text passwords is particularly alarming, as it suggests a lack of adequate encryption or secure storage practices, potentially enabling unauthorized access to networks.
The compromised data’s verification process further validated the severity of the leak. Beaumont managed to verify some of the data by cross-referencing IP addresses and configurations of exposed devices visible on the security search engine Shodan. This cross-verification included communicating directly with affected parties who could confirm that their compromised credentials were indeed part of the leak. Such authenticated evidence underscores the leak’s legitimacy and highlights the urgent need for affected entities to act promptly. The broader cybersecurity community has stressed the importance of addressing this breach, given its potential to compromise sensitive operations and data.
The Vulnerability Exploited
CVE-2022-40684: The Root Cause
Belsen Group’s actions likely stem from the exploitation of a Fortinet vulnerability known as CVE-2022-40684. This specific vulnerability is an authentication bypass appearing in various Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager. Discovered initially in 2022, it allows unauthenticated attackers to perform operations on the administrative interface utilizing specially crafted HTTP or HTTPS requests. Despite its discovery and subsequent fix updates, the vulnerability remains a point of exploitation, as many organizations may have delayed applying patches or overlooked the vulnerability’s significance.
Adding further complexity to the situation, Fortinet disclosed a new zero-day vulnerability (CVE-2024-55591) shortly before Beaumont’s revelation. This vulnerability affects FortiGate devices leveraging specific versions of FortiOS and FortiProxy, underscoring the urgency for organizations to patch promptly. Though not directly related to the vulnerability exploited by Belsen Group, similar zero-day threats could become focus points for such hacking groups. CloudSEK’s Pal highlighted the commonality of being authentication bypass vulnerabilities, which makes them particularly attractive targets for exploitation. This series of vulnerabilities emphasizes the need for vigilance and timely updates to avoid potential breaches.
The Importance of Patching
The importance of patching security vulnerabilities cannot be overstated, as evidenced by the exploitation of CVE-2022-40684. Regular updates and patching activities can prevent such breaches by ensuring that discovered vulnerabilities are addressed promptly. However, the constant emergence of new vulnerabilities necessitates a proactive approach to cybersecurity. Organizations must stay informed about the latest security patches and updates provided by manufacturers and implement them without delay to safeguard their systems against potential threats.
Moreover, proactive measures such as regular vulnerability assessments and penetration testing can identify weaknesses before they are exploited by malicious actors. This incident serves as a reminder of the critical need for comprehensive cybersecurity strategies that include not only patching but also continuous monitoring and assessment of network security. The implementation of multifactor authentication (MFA) and robust encryption protocols can add additional layers of defense, reducing the likelihood of unauthorized access even if some credentials are compromised.
The Broader Implications
Historical Context and Group Activity
Belsen Group’s activities have brought to light the ongoing and evolving nature of cyber threats. Despite their first appearance being in early January 2025, CloudSEK’s analysis suggests that the group has been active for at least three years. They have likely been involved in exploitation campaigns dating back to 2022, which adds credibility to their capabilities. The group’s recent data leak was posted on a Tor website, further indicating a premeditated plan to publicize their activities within the darker corners of the internet. This historical context provides insight into the group’s operational methods and their strategic approach to cybercrime.
The analysis of Belsen Group’s operations underscores the sophistication and persistence of modern hacking entities. Their ability to remain undetected and conduct campaigns over several years highlights the challenges that security professionals face in identifying and mitigating such threats. The public disclosure of their activities through forums and social media platforms further complicates the cybersecurity landscape, as it attracts attention from other malicious actors who may seek to emulate or collaborate with the group. The continuous evolution of cyber threats necessitates an equally dynamic and adaptive response from the cybersecurity community.
Other Related Incidents
The disclosure of an unrelated yet severe exploitation campaign targeting FortiGate devices, which began in December 2024, by security provider Arctic Wolf also raises concerns. While there is no established connection between this campaign and Belsen Group’s data leak, the cluster of incidents emphasizes a growing focus on Fortinet’s product vulnerabilities by various threat actors. The revelation of multiple exploitation campaigns underscores the critical need for robust cybersecurity measures and vigilant monitoring of network security.
The overlapping timelines and targets of these incidents highlight the possibility of coordinated efforts by different hacking entities. The increasing attention on Fortinet vulnerabilities suggests that these products are perceived as valuable targets due to their widespread use in securing organizational networks. This convergence of threats calls for a unified and strategic response from security professionals, involving collaboration and information sharing to effectively counteract and prevent such exploits. Organizations must prioritize the security of their Fortinet devices and remain vigilant against emerging threats to ensure comprehensive protection.
Steps for Mitigation
Immediate Actions for Organizations
In response to the Belsen Group’s leak, Kevin Beaumont alerts that organizations need to respond promptly by altering SSL VPN credentials, administrator passwords, and making other necessary security changes to mitigate potential fallout. This proactive approach is essential to prevent further exploitation and secure the compromised devices. Immediate actions may also include conducting thorough security audits, disabling compromised accounts, and implementing network segmentation to limit potential damage.
Organizations must also communicate with their employees about the breach and provide guidance on best practices for maintaining secure credentials. Educating staff about the importance of using strong, unique passwords and enabling MFA can significantly enhance overall security posture. Additionally, collaboration with cybersecurity experts or managed security service providers (MSSPs) can provide valuable insights and assistance in addressing the breach and fortifying defenses against future attacks.
Long-Term Security Measures
The ramifications of this leak are potentially serious, as the compromised firewall devices can be exploited for unauthorized access, making them vulnerable to further attacks. Security experts are urging organizations using Fortinet firewalls to promptly review and bolster their security protocols to mitigate potential risks. This incident highlights the ongoing and evolving threat landscape in cybersecurity, underscoring the need for vigilant protection of digital assets against cyber adversaries like the Belsen Group.
