Table of Contents
Data from companies across the world has been made public on the dark web, sourced from a historic vulnerability in Fortinet’s FortiGate firewall. A relatively unknown threat-actor leaked data from over 15,000 Fortinet devices, leaving organizations across the world asking how this might affect them and what they should do to defend themselves.
This data is believed to have been attained using vulnerabilities in Fortinet’s firewall service, FortiGate, in particular the zero-day vulnerability CVE-2022–40684. This vulnerability was present in all devices with FortiOS and affected both physical and virtual devices. It was exploited by cybercriminals to download configuration files that contained sensitive information, such as credentials, firewall rules, and VPN credentials.
While these vulnerabilities have now been fixed, simply patching is not enough. Often, these credentials were then used to gain super-admin privileges, modify configurations, and move laterally across the compromised networks.
Keep reading for some actions you can take today to help protect against further compromise.
Why We Need To Take the Fortinet Leak Seriously
Whereas the majority of credential leaks include usernames and passwords, this one is arguably more serious — and requires immediate attention.
Although the release of the data for free is recent, the zero-day vulnerability was detected in 2022 and Fortinet released a patch to fix it in the same year. This suggests that organizations may have already been compromised for over two years. Furthermore, although the patch to fix the vulnerability has been available since 2022, a number organizations still haven’t applied it.
These are the versions of Fortinet FortiOS that were affected by the vulnerability:
- Fortinet FortiOS version 7.2.0 through 7.2.1 & 7.0.0 through 7.0.6
- FortiProxy version 7.2.0 & 7.0.0 through 7.0.6
- FortiSwitchManager version 7.2.0 & 7.0.0
It is also worth noting that patching the devices does not defend against threat actors who have already accessed credentials. Assuming an organization hasn’t changed their firewall credentials, cybercriminals could still have direct access to their network. This can be used to steal information or deploy malware, such as ransomware.
In many cases, the leaked configuration files also include information on network architecture, such as firewall rules and admin credentials, which can be used to identify vulnerabilities and plan an attack.
Another worrying aspect of the attack is that many of the details remain cloudy. The data was released by a fairly unknown hacker group, the Belsen Group, and we have no way of knowing whether they were responsible for the hack. An important question is, have more organizations been compromised? With the information available, we cannot say — this means that all FortiGate users should assume they are compromised, even if their details were not in Belsen’s release of data.
What Are the Urgent Actions — And Are They Enough?
It’s essential to stress that patching is the first action to take, but it isn’t enough — it’s time for a complete overhaul. If you suspect your organization has been compromised, you should take urgent action as soon as possible (check, here, if your devices are on the list of affected IPs).
- Ensure that all FortiGate deployments are updated to the latest version.
- Update any relevant credentials, passwords, and configurations that might be associated, including IPsec passwords.
- Examine firewalls for unusual rules or anomalies that may suggest compromise.
- Revoke exposed certificates.
- Reconfigure Fortinet devices, reinforcing settings, for example implementing multi-factor authentication and strengthening admin passwords.
Take note that, given the nature of the leak, cybercriminals may have moved laterally across your organization, so it is advisable to update passwords and settings across your security stack. All this, however, still may not be enough.
Firstly, even if you patched straight away, back in 2022 when the zero-day was discovered, it is possible that you had already been compromised and your firewall credentials had been compromised. Attackers could already be inside the network and may have extracted information or delivered malware.
The explicit nature of the information from the Fortinet leak means it can be used for targeted social engineering attempts. Also, be aware when changing passwords that the old passwords revealed in the hack could provide a basis for the attackers to guess the new passwords.
Your firewall may still be backdoored, providing attackers with persistent methods to enter your network.
So, what more can we do to mitigate damage and avoid a repeat attack?
Recommendations From the FortiGate Data Leak
When you reevaluate your cyberdefences, consider mitigating against the fall-out from credential leaks, such as regular patching and implementing a zero-trust architecture. However, there are also some more time-critical actions that can be taken.
Assume you are already compromised. This maxim is a keystone of cyber defense — and events like this show why. Cybercriminals can and will get past your firewall, or Endpoint Detection and Response, or whichever defenses you have in your stack. Whether or not you were affected by this data leak, it is always best to be prepared.
We can take this further and assume that credentials are likely to be out there on the dark web to allow criminals to access our networks through ‘legitimate’ means.
So, the question is, now that we accept that we are compromised, what can we do? There are three key questions you can ask yourself:
- Which credentials do criminals already have?
Monitor the dark web using an external attack surface exposure tool. - What vulnerabilities might criminals exploit?
Examine the compromise state of your organization. Identify if criminals have established backdoors in your existing security stack. - Are cybercriminals on my network?
Monitor your network for suspicious activity using a 24/7 Network Detection and Response tool.
In other words, the answer is to be proactive in ensuring that you know what the criminals know and that you have maximum visibility across your network. This way you stay one step ahead.
Cybercriminals know exactly how to bypass traditional security measures. Though an important part of the cyber stack, Firewalls and EDRs are often exploited for malicious purposes. To find out more about how Lumu can help defend your network against the repercussions from the Fortinet leak and protect your network in the future, open a free account today.
