A recent security incident has resulted in the exposure of nearly 5,000 organizations’ email addresses and IP information due to a leak of FortiGate firewall configuration files. The breach traces back to the exploitation of a zero-day vulnerability, CVE-2022-40684, in 2022.
The Belsen Group, a cybercriminal organization, leaked approximately 15,000 FortiGate configuration files online. Security researcher Kevin Beaumont helped analyze the leaked files and compiled a list of email addresses embedded in the configurations to assist in identifying victims. However, Beaumont noted that “not every configuration file includes email addresses,” meaning the list is not exhaustive. These email addresses, while not part of the leak itself, were added as a tool for organizations to determine if they were impacted.
The leaked configuration files are particularly dangerous as they can provide attackers with insights into how networks are structured, including firewall rules and VPN details. Malicious actors can exploit this data for reconnaissance, lateral movement, or further attacks, including ransomware or data theft. While Fortinet has recommended organizations update credentials and review their systems, the exposure of such sensitive files highlights the critical need for securing and monitoring configurations.