One final update - did some IR on an impacted device, it looks like CVE-2022-40684 based on artefacts left behind.
It also looks like the data was assembled in October 2022 and only just released, looking back at historic IP records vs the dump. So basically if your config might be in the dump even if you patched, as it was a zero day at the time.
Also in the dump is complete firewall rules for the devices.
1.30am bloggo I wrote
Everything I know about the Fortigate config dump situation
Also, Belsen was a exchange camp, where Jewish hostages were held with the intention of exchanging them for German prisoners of war held overseas.
GitHub repo with the FortiGate config dump IPs. If you’re on this list, you need an incident to rotate creds etc.
https://github.com/arsolutioner/fortigate-belsen-leak/blob/main/affected_ips.txt
Here's how the data was organised, by country (Australia and UAE love Forti).
The data appears to have been assembled for release starting on the 11th, based on the modified dates (but was collected years earlier).
@GossiTheDog Thanks for sharing this.
We just checked for our IP ranges (nothing in there) but one of my colleagues grouped the IPs in the repo by AS - funnily enough, a good number of the top few are AS from which we frequently see DDOS traffic against our services. Perhaps suggests a lack of care & maintenance on their part & that the DDOS are likely from/via compromised kit. Not a major surprise.
@tdp_org @GossiTheDog I find the absence of, e.g., 3320 in that list a bit odd.
Plan for later today is release an Excel file with IPs, reverse DNS, ASN org names and numbers, country etc so orgs can better surface their exposure. Will post here and update blog post.
Also, in terms of data validity - I have an automated process scraping HTTP requests for serial numbers and comparing to serial numbers in config files for same IPs: it's legit, they match.
Updated my blog on the Fortigate situation (at the bottom). Nothing particularly interesting.
Also, the blog has pretty significant traffic, just looked at the numbers - but less than 4% from Twitter. That would have been unthinkable a few years ago.
FortiGate have a blog out: https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
It’s essentially the same as my blog - but in corporate 🤣
It plays heavily on the ‘this is old data’ angle and says you’ll be fine as long as you rotated credentials. Sure, somebody obtained all your firewall rules.. but that’s okay.. right. ✅
To help defenders find their impacted orgs in the Fortigate configuration dump incident, here's all emails mentioned - Ctrl+F for yourself.
Obvious point - not everybody puts their email address in a config file.
Also, one of the things I've seen mentioned about this dump (including by Fortigate, bizarrely) is 'old IPs, none of these are live'.
Tip: remotegw-ddns feature. Fortinet even offer dynamic DNS as a service so the IPs float by design. A lot of them are hanging off that.
@GossiTheDog lotta .gov addresses in there.
