Login

***milos_rs*** · (This post was last modified: 01-15-2025, 07:28 PM by milos_rs.)

Jutros vidim na linkedinu ovu objavu:

Filename: ln.png Size: 247.65 KB 01-15-2025, 03:21 PM

Dakle neki maliciozan je preko nepoznatog propusta pokupio konfiguracije i VPN šifre sa 15,400 Fortigate firewalla po celom svetu i objavio za besplatno skidanje. Po ovoj objavi deluje da su malo stariji podaci u pitanju.

Maliciozni akter nudi podatke potpuno besplatno, može se računati da trenutno razni drugi pokušavaju da iskoriste ove podatke...

Filename: dw2.png Size: 63.67 KB 01-15-2025, 03:32 PM

Ako koristite Fortigate uređaje na ivici mreže iz predostrožnosti ODMAH promenite sve šifre... administratorske, VPN šifre pod obavezno, WiFi šifre su takođe u konfig fajlovima tako da bolje i njih. Jeste da su šifre SHA256 hešovane ali bolje promeniti

Od Ex-yu zemalja među konfiguracijama prisutni su i u zagradama koliko puta uključujući i duplikate jer ih ima : BA (47) MK (2) RS (31) SI (13)

Podeliću zanimljivosti za Srbiju...

Zastupljene IP adrese tj. provajderi. Nemojte se osećati lagodno ako vam se IP adresa menja, u konfiguracijama je konfigurisan DDNS i svako ko ima fajl može da dođe do trenutne IP adrese vašeg rutera...

Filename: ips2.png Size: 431.23 KB 01-15-2025, 04:38 PM

Zastupljeni uređaji i verzije:

Code:
FG200E-7.0.2-FW-build0234-211019:opmode=0:vdom=0:user=Local_Process_Access

FGT80F-7.0.5-FW-build0304-220208:opmode=0:vdom=0:user=Local_Process_Access

FGT40F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT60F-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FGT60F-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FG200E-7.0.2-FW-build0234-211019:opmode=0:vdom=0:user=Local_Process_Access

FGT80F-7.0.6-FW-build0366-220606:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT80F-7.0.5-FW-build0304-220208:opmode=0:vdom=0:user=Local_Process_Access

FGT80F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT80F-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FGT40F-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FGT60F-7.0.1-FW-build0157-210714:opmode=0:vdom=0:user=Local_Process_Access

FGT60E-7.2.0-FW-build1157-220331:opmode=0:vdom=1:user=Local_Process_Access

FGT40F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.2.1-FW-build1254-220803:opmode=0:vdom=1:user=Local_Process_Access

FG100E-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT61F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT40F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FG100E-7.0.1-FW-build0157-210714:opmode=0:vdom=0:user=Local_Process_Access

FG80FP-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.0.5-FW-build0304-220208:opmode=0:vdom=0:user=Local_Process_Access

FGT40F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT60F-7.0.1-FW-build0157-210714:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.0.5-FW-build0304-220208:opmode=0:vdom=0:user=Local_Process_Access

FG200F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT40F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

FGT61F-7.2.1-FW-build1254-220803:opmode=0:vdom=0:user=Local_Process_Access

FGT60E-7.0.3-FW-build0237-211207:opmode=0:vdom=0:user=Local_Process_Access

FG100F-7.2.0-FW-build1157-220331:opmode=0:vdom=0:user=Local_Process_Access

Zbog osetljivosti i rizika neću spominjati imena korisnika rutera ali moram da napravim neka zapažanja među podacima:

Ruter koji pripada firmi koja proizvodi i prodaje peciva. Među VPN šiframa na čak 4 naloga je šifra "Comtrade123#". Te pretpostavljam da im je Comtrade radio mrežu, veoma neodgovorno postavljanje šifara.
Ruter od jedne outsourcing IT firme iz Beograda, čak 8 VPN naloga sa korisničkim imenima lakih za pogađanje imao je šifru "stacemodajedemo"
Ruter od jedne sportske organizacije u Beogradu, korisnička imena su "Ime" a šifre su sve "123Ime456"
Firma iz Novog Sada koja nudi usluge vođenja poslovanja i u sklopu toga nudi i Fortinet uređaje, među VPN šiframa su "stagod1, stagod2, stagod3" itd, kao i šifre "vpnsifra123, vpnsifra321, sifrazavpn123...". A i ostale šifre su podjednako loše.
Jedna medicinska laboratorija sa gomilom ispostava po celoj Srbiji... VPN šifre izuzetno loše, ističe se kao šifra "L031nka"

Razumem ja da je potrebno dostaviti klijentu početne šifre, to i sam redovno radim, ali valjda mogu i one biti sigurne, jer kao što je opšte poznato korisnici neće promeniti šifre ako ne moraju. Da ne bude da samo kritikujem, ima i onih sa dobrim šiframa koje se na primer kod jednog rutera sastoje od 9 random karaktera malih i velikih slova kao i broje, jedinstvenih za svakog korisnika.

facyber_ · 01-15-2025, 10:22 PM

Da nemaš možda spisak IP adresa za podeliti? Ako se ne varam za taj breach forum je potreban plaćeni nalog?

***milos_rs*** · 01-16-2025, 08:44 AM

Iz raznih online vesti se zna više detalja

Quote:In a blog post about the FortiGate leak, Beaumont says that the leak is believed to be linked to a 2022 zero-day tracked as CVE-2022–40684 that was exploited in attacks before a fix was released.

"I've done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device. I've also been able to verify the usernames and password seen in the dump matches the details on the device," explains Beaumont.

"The data appears to have been assembled in October 2022, as a zero day vuln. For some reason, the data dump of config has been released today, just over 2 years later."

Hackers leak configs and VPN credentials for 15,000 FortiGate devices

***milos_rs*** · 01-16-2025, 09:42 AM

Evo i za BiH, obzirom da sve više javno kruži spisak IP adresa, npr. https://github.com/arsolutioner/fortigate-belsen-leak nema više poente uklanjati...

Za BiH ima dosta duplikata, isti ruter viđen na više IP adresa, što možda pokazuje da je ovo prikupljano duže vreme, i da je svakim skeniranjem ruter nađen na drugoj IP adresi, te prikupljeni podaci sa njega iako su već ranije bili prikupljeni.

Filename: ips.png Size: 1.09 MB 01-16-2025, 09:41 AM

***milos_rs*** · 01-18-2025, 05:17 PM

Fortinet obaveštenje:

Analysis of Threat Actor Data Posting

Quote:The threat actor has leaked data obtained in dated campaigns that has been aggregated to appear like a new disclosure. Our analysis of the devices in question show that the majority have long since upgraded to newer versions. If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor’s disclosure is small. We continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture.

Login
Username/Email:
Password:	Lost Password?
	Remember me