WordPress AIOS plugin used by 1M sites logged plaintext passwords
The All-In-One Security (AIOS) WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site’s database, putting account security at risk. […] Read More
A hacking collective known as the “Belsen Group” has released over 15,000 unique FortiGate firewall configurations online.
The data dump, reportedly obtained by exploiting a zero-day vulnerability in Fortinet’s systems back in October 2022, includes sensitive information such as usernames, passwords (some in plaintext), device management certificates, and complete firewall rules.
The leaked data was made available for free on a dark web forum and appears to be authentic. Each folder in the dump is organized by country and contains subfolders named after IP addresses.
15,000 unique FortiGate firewall online (Source: Kevin Beaumont)
These folders house two critical files: config.conf, which holds the full configuration of the FortiGate device and vpn-users.txt, listing VPN credentials in plaintext.
Cybersecurity researcher Kevin Beaumont confirmed the leak’s legitimacy by cross-referencing serial numbers from the data with devices listed on Shodan, a search engine for internet-connected devices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Beaumont also verified that usernames and passwords from the dump matched details on compromised devices he analyzed during incident response efforts.
IP Address Leaked (Source: Kevin Beaumont)
The Belsen Group claimed responsibility for this breach, marking it as their first major operation. Their announcement ominously stated that “2025 will be a fortunate year for the world,” suggesting further cyber campaigns may follow.
Exploitation of CVE-2022-40684
The breach traces back to CVE-2022-40684, a critical authentication bypass vulnerability in Fortinet’s FortiOS, FortiProxy, and FortiSwitchManager products.
This flaw allowed attackers to bypass administrative authentication using specially crafted HTTP or HTTPS requests. The vulnerability was first disclosed by Fortinet in October 2022 and had a CVSS score of 9.8, making it highly critical.
At the time, Fortinet urged users to patch their systems immediately by upgrading to secure versions of their software. However, it appears that attackers exploited this flaw before many organizations could apply the patch.
The firmware versions affected by the critical Fortinet authentication bypass vulnerability, CVE-2022-40684, include the following:
FortiOS:
Versions 7.0.0 through 7.0.6
Versions 7.2.0 through 7.2.1
FortiProxy:
Versions 7.0.0 through 7.0.6
Version 7.2.0
FortiSwitchManager:
Versions 7.0.0 and 7.2.0
Recommended Firmware Updates
To mitigate the vulnerability, Fortinet recommends upgrading to the following secure versions:
FortiOS: Version 7.2.2 or above, and version 7.0.7 or above.
FortiProxy: Version 7.2.1 or above and version 7.0.7 or above.
FortiSwitchManager: Version 7.2.1 or above, and version 7.0.1 or above
The leaked data suggests that configurations were exfiltrated in late 2022 but were only made public now over two years later.
The release of these configurations poses severe risks to affected organizations:
Exposure of Credentials: Plaintext VPN credentials and usernames could allow attackers to gain unauthorized access to networks.
Firewall Rules: Detailed firewall rules provide attackers with insights into network architecture and security policies.
Device Certificates: Leaked certificates could facilitate man-in-the-middle attacks or other forms of impersonation.
Persistent Threats: Even organizations that patched CVE-2022-40684 back in 2022 may still be vulnerable if their configurations were stolen before patching.
Security experts warn that this level of exposure could lead to widespread exploitation across both governmental and private sectors globally.
Kevin Beaumont has stated plans to publish a list of affected IP addresses so organizations can determine if they are impacted. Meanwhile, cybersecurity professionals stress the importance of proactive measures as attackers are likely already exploiting this treasure trove of data.
Organizations using Fortinet products must act swiftly to mitigate risks from this breach while remaining vigilant against future exploits targeting exposed configurations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
TA571 Hacker Group Deliver IcedID Malware Via Password-protected Zip Archive
Hackers often use password-protected Zip Archive files for malware distribution to evade detection by security software.
They let the malware infiltrate the target system without detection by encrypting the file, which makes it more difficult for antivirus software to examine its contents.
On October 11 and 18, 2023, cybersecurity researchers at Proofpoint discovered two malicious campaigns in which TA571 spread the Forked IcedID variant.
More than 1,200 clients globally in a variety of sectors were impacted by the more than 6,000 messages that these two campaigns sent out.
The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.
Technical analysis
The campaigns used thread hijacking in emails with 404 TDS URLs. These links led to password-protected zip archives, with the password provided in the email.
However, besides this, the recipient was verified in multiple checks before delivering the archive.
TA571 lure used in an IcedID campaign on 11 October 2023 (Source – Proofpoint)
The zip had a VBS script running an IcedID Forked loader. When double-clicked, it leads to an IcedID bot download. Apart from this, there are only a few campaigns where the Forked IcedID is seen.
In February 2023, cybersecurity analysts at Proofpoint discovered this variant. It removed banking functions, shifting focus from banking fraud to payload delivery, possibly favoring ransomware delivery.
For malware delivery, the threat group TA571 often employs 404 TDS, and since Sep 2022, researchers have been tracking 404 TDS.
In these campaigns, it’s been detected that threat actors delivered the following malware:-
TDS routes web traffic through operator servers, exploited for malware and phishing. 404 TDS possibly shared/sold to various actors, linked to diverse campaigns by Proofpoint.
The security experts at Proofpoint are quite confident in the ransomware danger posed by TA571 infections since this threat group is a well-known spam distributor that sends emails with malware.
Delivery of the Forked IcedID variant by TA571 is unusual, and that’s why Proofpoint sees TA571 as a sophisticated actor using intermediary “gates” for precise targeting, evading sandboxes.
Indicators of compromise
IOCs (Source – Proofpoint)
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
If you’re a cybersecurity professional, you’re likely familiar with the sea of acronyms our industry is obsessed with. From CNAPP, to CWPP, to CIEM and…