Incident Overview
The Belsen Leak — What Was Exposed
On 14 January 2025, a newly surfaced threat actor calling itself Belsen_Group
released a 1.6 GB archive on a Tor-hosted dark web forum and English-language cybercrime boards — framing it
as a "gift" to establish their reputation. The dump contains full firewall configuration backups
(config.conf) and VPN credential files (vpn-password.txt) for
15,474 FortiGate devices, folder-organized by country and WAN IP.
Fortinet PSIRT and multiple independent researchers (Beaumont, Crimson7, CloudSEK, Heise Online) confirmed the data's authenticity. Serial numbers matched Shodan records; VPN credentials were validated against live devices. The archive is internally timestamped to October 2022, exploited during the zero-day window of CVE-2022-40684 before Fortinet's public disclosure on 03 Oct 2022.
CVE-2022-40684 — Technical Summary
The flaw allows unauthenticated HTTP/HTTPS requests to the FortiOS management interface to be processed
as Local_Process_Access (a privileged internal context), bypassing all authentication controls.
The attacker can use a crafted Forwarded HTTP header to impersonate the management daemon.
Mass exploitation resulted in config exfiltration via the /api/v2/cmdb/system/ REST endpoint.
# Exploitation technique: manipulated Forwarded header GET /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: <target_ip> Forwarded: for="[127.0.0.1]:8888";by="[127.0.0.1]:9999";proto=https # Result: authenticated as Local_Process_Access, full admin API access
CVE-2018-13379 — Credential Harvesting Chain
Fortinet's PSIRT stated it is "highly likely" that CVE-2018-13379 was also leveraged —
a pre-authentication path traversal on the SSL-VPN web portal that exposes
/dev/cmdb/sslvpn_websession, leaking plaintext VPN credentials for sessions. This explains
the presence of plaintext vpn-password.txt files alongside config dumps. The 2018 vuln
was still being exploited at scale in 2022 against unpatched estates.
Attack & Disclosure Timeline
Local_Process_Access footprint on victim devices. Access likely sold or retained for downstream operations.Geographic Distribution
Top-Affected Countries (by leaked device count)
| Country | Devices (approx) | Notable Sectors | Relative Volume |
|---|---|---|---|
| 🇲🇽 Mexico | ~1,603 | Telco, SMB, leased-line ISP | |
| 🇺🇸 USA | ~679 | Enterprise, Govt, Healthcare | |
| 🇩🇪 Germany | ~208 | SMB, Medical practices | |
| 🇵🇱 Poland | 20+ | ISP, Manufacturing | |
| 🇬🇧 UK | 20+ | Finance, Professional services | |
| 🇧🇪 Belgium | 20+ | EU institutions, SMB | |
| 🇹🇭 Thailand | 10+ | Telco, E-commerce | |
| 🇸🇦 Saudi Arabia | 10+ | Energy, Finance |
⚠ Notable omissions: Iran (thousands exposed by Shodan but absent from corpus) and Russia (single Crimea entry). Suggests intentional geographic curation, not exhaustive mass exfil. Hypothesis: TA filtered targets, retained high-value access, released remainder as reputation capital.
Network Concentration: UniNet (Mexico)
Censys enrichment shows a disproportionate clustering on the UniNet ASN, consistent with SMB CPE devices (FG-40F, FG-60F) deployed by ISPs on behalf of small business customers who have no dedicated security staff. This explains the high device count with low sophistication configurations — default-adjacent deployments with admin UIs exposed on WAN port 443/10443.
Observed Misconfiguration Patterns
These patterns are consistent across the corpus based on researcher analysis by Beaumont, Heise, Crimson7, and CloudSEK. These represent recurring deployment anti-patterns relevant to your country-level misconfiguration behavior study.
Pattern Taxonomy from Corpus Analysis
32.88% of devices still exposing FortiGate login interface publicly at time of Censys scan. Enables direct exploitation of any auth bypass CVE without network prerequisite. Violates Fortinet hardening baseline: admin access must be restricted to dedicated OOBM VLAN.
SSL-VPN user passwords stored or recoverable in plaintext via CVE-2018-13379. Many orgs running password-only VPN auth with no MFA, reused credentials across services. Password policy enforcement absent in majority of SMB configs.
Pre-shared keys (PSK) and peer IPs included in configs allow adversaries to impersonate the FortiGate peer and join connected internal networks, even if the original firewall has since been replaced. Third-party org risk: partner networks of victims are also transitively exposed.
Majority of devices retain
admin as primary account name. Corpus analysis
confirms this is near-universal in SMB segment. Facilitates credential stuffing and targeted
brute-force against unrotated creds.
Full device management certificates included in leaked configs. Serial numbers, CN fields, and cert chains enable device fingerprinting and impersonation in mutual-TLS management channels (FortiManager/FortiAnalyzer communication).
Full firewall rule configurations reveal internal network topology, segment structure, allow-any rules, and trusted host ranges. Blue team value: enables adversary to pre-plan lateral movement routes. Consistent with Beaumont's observation that "large orgs and governments" appear in the corpus.
Config analysis shows majority of SMB devices with no FortiAnalyzer or syslog destination configured. Means exploitation via CVE-2022-40684 left no forwarded telemetry — only local disk logs, easily rotated or wiped by attacker.
100% of corpus locked to FortiOS 7.0.0–7.0.6 or 7.2.0–7.2.1. Fortinet confirmed no 7.4/7.6 entries. Suggests patch cycle cadence of 12+ months or manual-only updates — common in SMB and telco CPE managed service models.
Research Methodology — Country Misconfiguration Profiling
Recommended pipeline for your 15K corpus analysis. Combines structural parsing, enrichment, and statistical clustering to produce per-country misconfiguration profiles.
Parse folder tree:
country/ → WAN_IP_PORT/ → {config.conf, vpn-password.txt}.
Extract structured fields using regex or FortiOS grammar (Fortinet config uses a key-value tree, not YAML/JSON).
Tools: Python fortigate-config-parser libs or custom pyparsing grammar.Extract: FortiOS version, admin accounts, SSL-VPN config, firewall policy count/permissiveness, syslog destinations, HA mode, IPS/AV profile presence, IPsec tunnel count, management access ACLs, certificate metadata, password policy settings.
Enrich WAN IPs with: ASN (pyasn/RIPE), Shodan historical banners, BGP prefix ownership, sector classification via AS description + RDAP. Censys Internet-wide scan data provides confirmed-online status. Helps correlate config misconfigs with hosting environment (telco CPE vs enterprise edge vs datacenter).
Define binary or weighted feature vector per device: admin-on-WAN (1/0), MFA-absent (1/0), no-syslog (1/0), default-admin-name (1/0), PSK-reuse (hash collision detection), weak password entropy (zxcvbn scoring), etc. Produces per-device risk score.
Group by country folder. Compute: mean/median risk score, prevalence rates per misconfig type, firmware version distribution, sector composition. Normalize by device count for comparable cross-country percentages — raw counts are misleading (Mexico N=1603 vs Belgium N~20).
K-means or DBSCAN on normalized feature vectors to identify misconfiguration behavioral archetypes (e.g., "SMB CPE cluster", "managed-service cluster", "enterprise-partial-hardening cluster"). Map archetype distribution per country to surface policy-correlated patterns.
Cross-reference Fortinet advisory dates with firmware versions in corpus. Estimate per-country average patch-lag. Correlate against ENISA/NVD patch adoption research and national CERT activity indicators for country-level cyber posture inference.
# Python skeleton: parse FortiGate config tree import os, re, json from pathlib import Path def parse_fortigate_config(conf_text): features = {} features['admin_on_wan'] = bool(re.search(r'set allowaccess.*(https|http)', conf_text)) features['ssl_vpn_enabled'] = bool(re.search(r'config vpn ssl settings', conf_text)) features['syslog_dest'] = bool(re.search(r'config log syslogd', conf_text)) features['mfa_enabled'] = bool(re.search(r'set two-factor', conf_text)) features['ipsec_tunnels'] = len(re.findall(r'config vpn ipsec phase1-interface', conf_text)) features['fw_policy_count'] = len(re.findall(r'edit \d+', re.findall(r'config firewall policy(.*?)end', conf_text, re.DOTALL)[0] if re.search(r'config firewall policy', conf_text) else '')) version_m = re.search(r'#conf_file_ver=(\S+)', conf_text) features['fortios_version'] = version_m.group(1) if version_m else 'unknown' return features corpus_root = Path("./fortigate_leak") results = [] for country_dir in corpus_root.iterdir(): country = country_dir.name for ip_dir in country_dir.iterdir(): conf_file = ip_dir / "config.conf" if conf_file.exists(): feats = parse_fortigate_config(conf_file.read_text(errors='ignore')) feats['country'] = country feats['ip_port'] = ip_dir.name results.append(feats) with open("corpus_features.json", "w") as f: json.dump(results, f, indent=2)
Research Gaps — Unexplored Angles
IOCs & Detection
Forensic Artefacts — CVE-2022-40684 Exploitation
# FortiGate access log signature (Local_Process_Access) type=event subtype=system pri=information user="Local_Process_Access" ui=https action=Edit cfgpath="system.admin" # Rogue admin account artefact config system admin edit "fortigate-tech-support" # common attacker-created account set accprofile "super_admin" set vdom "root" set ssh-public-key1 "[attacker_pub_key]" next end
Beaumont confirmed these artefacts on an IR-engaged victim device. Also check
/var/log/miglogd.log for rest_api entries from external source IPs
around October 2022.