An ecrime group has somehow gained access to 75k Fortinet firewall devices - dubbed Fortibleed
Check if your domain is impacted: https://www.hudsonrock.com/fortinet
I’ve verified the data is real. They’ve been dumping the Fortinet config - not sure how yet - and then cracking the passwords it appears. Data is being resold online. #fortibleed
It’s similar to the Belsen Group thing, although that was a smaller collection of devices - prior thread
Attached: 2 images A new group, Belsen Group, claim to have released Fortigate configs for 15k firewalls. #threatintel
So there are definitely devices which weren't in the Belsen Group post back last year, in fact almost all of them weren't.
On how they got the passwords - until about a year ago, FortiOS (Fortinet firewall OS) stored admin passwords SHA-256 salted, which can be bruteforced.
In an update about a year ago, if installed and admins log in, passwords are stored much more securely - but most orgs won't be that condition yet. In other words, if you dump the config you could get the passwords.
Lol, the #FortiBleed data was found in an opendir on a webserver 🤣 truly GenAI is going to take over 😜
"They accidentally left an open directory with artefacts, connection strings, tooling, scripts and data online. Analytics obtained via their cron jobs, bash histories, logs etc,"
Fortinet appear to be telling press the #Fortibleed breach is made up of prior breaches and brute forcing.. but I’ve seen the breach data and it includes many passwords not in prior dumps, and I’ve worked with impacted orgs and they report no brute forcing of impacted accounts.
I think there may be some confusion about this one - the brute forcing is the cracking of the passwords by the threat actor, which is done locally.
Watch this space on this one anyhoo.
Kevin Beaumont
Wombatadon
greatquux