Plan for later today is release an Excel file with IPs, reverse DNS, ASN org names and numbers, country etc so orgs can better surface their exposure. Will post here and update blog post.
Also, in terms of data validity - I have an automated process scraping HTTP requests for serial numbers and comparing to serial numbers in config files for same IPs: it's legit, they match.
Updated my blog on the Fortigate situation (at the bottom). Nothing particularly interesting.
Also, the blog has pretty significant traffic, just looked at the numbers - but less than 4% from Twitter. That would have been unthinkable a few years ago.
Edited 159d ago
FortiGate have a blog out: https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
It’s essentially the same as my blog - but in corporate 🤣
It plays heavily on the ‘this is old data’ angle and says you’ll be fine as long as you rotated credentials. Sure, somebody obtained all your firewall rules.. but that’s okay.. right. ✅
To help defenders find their impacted orgs in the Fortigate configuration dump incident, here's all emails mentioned - Ctrl+F for yourself.
Obvious point - not everybody puts their email address in a config file.
Edited 153d ago
Also, one of the things I've seen mentioned about this dump (including by Fortigate, bizarrely) is 'old IPs, none of these are live'.
Tip: remotegw-ddns feature. Fortinet even offer dynamic DNS as a service so the IPs float by design. A lot of them are hanging off that.
@GossiTheDog lotta .gov addresses in there.