It’s similar to the Belsen Group thing, although that was a smaller collection of devices - prior thread

https://cyberplace.social/@GossiTheDog/113834848200229959

So there are definitely devices which weren't in the Belsen Group post back last year, in fact almost all of them weren't.

On how they got the passwords - until about a year ago, FortiOS (Fortinet firewall OS) stored admin passwords SHA-256 salted, which can be bruteforced.

In an update about a year ago, if installed and admins log in, passwords are stored much more securely - but most orgs won't be that condition yet. In other words, if you dump the config you could get the passwords.

Lol, the #FortiBleed data was found in an opendir on a webserver 🤣 truly GenAI is going to take over 😜

"They accidentally left an open directory with artefacts, connection strings, tooling, scripts and data online. Analytics obtained via their cron jobs, bash histories, logs etc,"

https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

Fortinet appear to be telling press the #Fortibleed breach is made up of prior breaches and brute forcing.. but I’ve seen the breach data and it includes many passwords not in prior dumps, and I’ve worked with impacted orgs and they report no brute forcing of impacted accounts.

I think there may be some confusion about this one - the brute forcing is the cracking of the passwords by the threat actor, which is done locally.

Watch this space on this one anyhoo.

To be transparent about this, a threat actor has been claiming they have an exploit to get FortiOS device password hashes remotely from config for the past month. It’s currently unclear how. They claim it’s an exploit of an unpatched vuln. Their claims predate the discovery of this dump.

If I end up having to set up another FortiGate firewall honeypot to figure out what’s going on.. I’ll British tut and get on with it.

Some kind #FortiBleed victims got me to look at their situations. Some IOCs performing remote config dumps:

193.8.186.7
80.75.212.113
213.21.239.65

Look for inbound TCP traffic to Fortigate devices. If seen log into the devices and look for config dump events from those IPs.

Config dumps (including crackable password hashes) have been going on for around a month.

If you have IPsec site to site VPN tunnels on the impacted Fortinets you need to rebuild the tunnels with new keys both ends.

Canadian Centre for Cyber Security on #FortiBleed

https://www.cyber.gc.ca/en/alerts-advisories/al26-014-fortibleed-leak-thousands-compromised-credentials-impacting-fortinet-devices

Update on FortiBleed by me

New IOCs doing config dumps (including an IP addressed owned by Fortigate), details on movement inside networks etc.

https://doublepulsar.com/an-update-on-fortibleed-whats-happening-with-victim-orgs-c0671a50e7f4

Fortinet have put out a blog about FortiBleed finally - where they don’t mention configuration exports (which is definitely happening at scale, I have receipts) or password hash cracking (we have the bash history of the user doing it).. but instead link Fortibleed to a prior marketing blog called “Attacks at the speed of AI” 🤦‍♀️

https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices?lctg=197390370

There's some more analysis of the #FortiBleed attack infrastructure here:
https://zenox.ai/en/fortibleed-anatomy-of-the-fortibleed-campaign-based-on-the-server-that-the-attackers-themselves-left-exposed/

It's not mentioned but they cracked around 170k AD account passwords. Also all the comments on the custom source is written in Russian.

Also, there is a GenAI angle I missed - they used an open source pentesting AI agent framework to try to automate attacks. It doesn't look like that bit worked very well.