New Hacking Group "Belsen Group" Leaks Data from Over 15,000 FortiGate Devices

A newly surfaced hacking collective, the “Belsen Group,” has exposed configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices. As reported by BleepingComputer, this data, freely distributed on the dark web, contains sensitive information that could be exploited by cybercriminals.

The Belsen Group announced its presence earlier this month via social media and cybercrime forums, establishing a Tor-based website to showcase their activities. In their first major operation, the group released the FortiGate data dump at no cost, describing it as a strategic move to build their reputation within the cybercriminal community.

“…in order to solidify the name of our group in your memory, we are proud to announce our first official operation,” the group wrote in a hacking forum post, positioning themselves as a new threat actor to be reckoned with.

The leaked archive, totaling 1.6 GB, is meticulously structured by country, with each folder containing subfolders for the IP addresses of affected devices. These folders include files such as configuration dumps and VPN password lists. Alarmingly, many of the passwords are stored in plain text, and additionally, the archive contains private keys and firewall rules, further compounding the risk to affected organizations.

Cybersecurity experts have linked the leak to a 2022 zero-day vulnerability, tracked as CVE-2022–40684. This vulnerability allowed attackers to exploit FortiGate devices, download configuration files, and create rogue administrator accounts. While Fortinet addressed the flaw in October 2022 with a firmware update, questions remain about how patched devices may still have been compromised.

Although the compromised data was collected in 2022, it remains a pressing security concern. The leaked information includes firewall configurations and credentials, which could still be valid for organizations that failed to implement updates or rotate passwords. Administrators must act swiftly by reviewing their systems, identifying any exposure, and updating configurations and passwords immediately.?

Organizations must act decisively, treating this incident as a call to fortify their defenses. Failure to do so not only risks immediate exploitation but also sets the stage for future attacks, as cybercriminals increasingly target unprepared systems.

Ultimately, this incident underscores the fact that cybersecurity is not just an IT concern but a fundamental pillar of business resilience. By addressing vulnerabilities swiftly and implementing comprehensive security protocols, organizations can better protect their assets, their customers, and their reputation.