Warning to FortiGate admins: You need to run a compromise assessment now

While the data was apparently collected just over two years ago, it is unknown why it’s being released now. In a post last week analyzing the dump, researchers at Censys noted that the Belsen Group is new. It’s possible that this threat actor recently bought or assembled the data now for sale from the original hacker(s).

Censys also believes that, while action may have been taken by FortiGate admins two years ago, after the vulnerability was discovered, “it is still relevant and capable of causing damage. Firewall configuration rules in particular tend to remain unchanged unless a specific security incident prompts an update. It’s also fully possible, of course, that some of these firewalls have changed ownership in the interim, but such cases are also uncommon.”

The publication of this data means that threat actors have more material to work with for social engineering and account takeover, Randy Pargman, senior director of threat detection at Proofpoint, told CSO. “They can take the leaked passwords and, even assuming all have been changed, use the fact that people often use variations of the same password to guess probable passwords. Threat actors can also target email lures to people whose email addresses appear in the leak, using FortiGate themed lures leading to malware or phishing pages.”