Fortigate Data Dump - Jan 2025

Some cyber insurance carriers are actively reaching out to impacted policy holders, this post will be updated on an on-going basis to provide high level insights for Beltex policyholders.

Background information is available here. The information dumped is from October 2022, so while it still may be a threat, it is also substantially out of date in many cases.

Should you panic? Maybe.

The night of Friday January 24th, the Beltex team worked late handling notifications and discussions with clients who had IPs and domains listed in the dump files. This data is widely available on the non-dark web, such as a list of domains here. Please note the link of listed domains is for the contact emails in the Fortigate configurations, and not necessarily a reverse lookup of any IPs or similar searches.

What should you do if your information is on the list?

Even if the Fortigate(s) are no longer in production, you may already be compromised. At a minimum, notify your carrier, and follow their guidance which may be to open a claim.

If you are confident that your business is not at risk, verify that your security controls are functional, and that any credential reuse that occurred on the firewall has password rotation occur ASAP. The firewall config can include local user accounts, LDAP integration, and more.

Additional Research Tools

These tools are not endorsed by and have not been fully tested/vetted by the Beltex team, and are provided as potentially useful information only.

Lookup by ASN: https://turagik.github.io/fortigate-asn-search/

Contact field(s) email domains: https://gist.github.com/Neo23x0/e2cb09c3a193218c28424fe768605103

Select lines from the configurations that include IPs and contact emails: https://raw.githubusercontent.com/GossiTheDog/Monitoring/refs/heads/main/Fortigate-Config-Dump-emails.txt