The breach is linked to a zero-day vulnerability (CVE-2022-40684) exploited by the Belsen Group in 2022, which has now been confirmed by Fortinet.

This leak has exposed configurations from a diverse range of entities, including major organizations and various government domains across the globe.

The Belsen Group has leaked around 15,000 FortiGate firewall configuration files online, raising significant security concerns for organizations worldwide.

The leaked configurations contain sensitive data such as usernames, passwords (some stored in plain text), device management digital certificates, and firewall rules.

Among the leaked data are approximately 12,000 site-to-site IPsec VPN tunnel configurations, which could allow attackers to infiltrate internal networks undetected.

CloudSEK has provided resources for organizations to determine if their networks are part of the exposed IPs, facilitating a proactive response to the breach.

Countries most affected by the leak include the US, UK, Poland, and Belgium, with additional impacts noted in France, Spain, Malaysia, the Netherlands, Thailand, and Saudi Arabia.

If attackers gain access to IPsec tunnel keys, they could exploit these vulnerabilities to compromise internal networks.

With possession of firewall configurations, attackers can identify network vulnerabilities, potentially leading to data theft or the implantation of backdoors.

In response to the leak, Fortinet has advised organizations to follow security best practices to mitigate risks.

Security experts recommend that organizations conduct compromise assessments to check for intrusions or unauthorized access following the leak.

To further mitigate risks, organizations should update device and VPN credentials, audit and reconfigure firewalls, and rotate any compromised digital certificates.