{
	"id": "dc1dd034-f9f5-4e35-8d03-7f78f39fef5f",
	"created_at": "2026-04-06T00:13:01.740665Z",
	"updated_at": "2026-04-10T13:11:49.55764Z",
	"deleted_at": null,
	"sha1_hash": "c6b8d925f49963ad25b38f6a0897a19c2d09e51f",
	"title": "Analysis of Threat Actor Data Posting | Fortinet Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45941,
	"plain_text": "Analysis of Threat Actor Data Posting | Fortinet Blog\r\nBy Carl Windsor\r\nPublished: 2025-01-16 · Archived: 2026-04-05 13:00:57 UTC\r\nAffected Platforms: FortiOS 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1\r\nImpacted Users: Various\r\nImpact: Configuration and VPN Password Exposure\r\nSeverity Level: High\r\nExecutive Summary\r\nFortinet is aware of a posting by a threat actor which claims to offer compromised configuration and VPN\r\ncredentials from FortiGate devices. Based on our analysis, the data involved is a resharing of data from previous\r\nincidents from dates prior to November 2022 and is not related to any recent incident or advisory. The following\r\nprovides factual information to help our customers better understand the situation and make informed decisions.\r\nThreat Actor Posting\r\nFortinet discovered the posting on a forum via the FortiRecon Dark Web Activity Monitoring service. This group,\r\nnewly created in January 2025, published files that purportedly contain stolen FortiGate data, categorized by\r\ncountry names including:\r\nIPs\r\nPasswords\r\nConfigurations\r\nBased on our analysis, the threat actor’s claim is misleading.\r\nAnalysis of the data\r\nThe stolen data is arranged in folders with the IP address and a port on the firewall, in the format 10.20.30.41_xxx\r\nwhere xxx is most commonly 443 or 10443 which suggests this is meant to represent be the SSL-VPN port.\r\nThe folders contain two files:\r\nconfig.conf                         - The FortiGate configuration backup\r\nvpn-password.txt           - Password file containing credentials from the SSL-VPN\r\nconfig.conf\r\nAfter analyzing the firmware versions in the exposed configurations, it was immediately clear that the exposed\r\ndata originates from an older vulnerability, as the list does not include any configurations for FortiOS 7.6 or 7.4,\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting\r\nPage 1 of 3\n\nnor any recent configurations for 7.2 and 7.0.\r\nAnother indicator was the presence of two other IoCs commonly found in an older published vulnerability.\r\nConfiguration obtained by user Local_Process_Access\r\nMalicious Admin: fortigate-tech-support\r\nGiven both points, it is highly likely that this data was obtained via the previously communicated and resolved\r\nvulnerability FG-IR-22-377 / CVE-2022-40684. In addition to the published advisory, we also published further\r\ninsights and detail in a blog post from October 2022 entitled, “Update Regarding CVE-2022-40684.” Data\r\ncorroborating the findings includes that the threat actor-shared configs are from 7.2.1 and 7.0.6 (which were the\r\nlast vulnerable versions as noted in our 2022 advisory).\r\nvpn-password.txt\r\nSimilar to the configurations, the data in password .txt immediately appeared familiar as it was similar in content\r\nand matched data disclosed in a previously resolved FG-IR-18-384 / CVE-2018-13379 vulnerability.\r\nThe difference being that the filenames and headers of the files were different. We found a Python file that\r\nexplains this as this was used to change the filenames and insert the moniker of the Threat Actor into all of the\r\npassword files.\r\nThis was widely communicated at the time in the published PSIRT Advisory, and in a 2019 blog and subsequent\r\nblog in 2020.\r\nConclusion\r\nThe threat actor has leaked data obtained in dated campaigns that has been aggregated to appear like a new\r\ndisclosure. Our analysis of the devices in question show that the majority have long since upgraded to newer\r\nversions. If your organization has consistently adhered to routine best practices in regularly refreshing security\r\ncredentials and taken the recommended actions in the preceding years, the risk of the organization’s current config\r\nor credential detail in the threat actor’s disclosure is small. We continue to strongly recommend that organizations\r\ntake the recommended actions, if they have not already, to improve their security posture.\r\nWe can also confirm that devices purchased since December 2022 or devices which have only run FortiOS 7.2.2\r\nor above are not impacted by the information disclosed by this threat actor.\r\nIf you were running an impacted version (7.0.6 and lower or 7.2.1 and lower) prior to November 2022 and did not\r\nalready take the actions recommended in the advisory, we strongly recommend reviewing the recommended\r\nactions to improve your security posture.\r\nWhilst this data is several years old and the IP addresses have been observed to no longer be relevant in many\r\ncases, we will be reaching out to any customers, where identified, to recommend to review configurations.\r\nIf you are a Fortinet customer and have reviewed this detail and still have questions, please reach out to\r\ncs@fortinet.com.\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting\r\nPage 2 of 3\n\nRecommended actions\r\nFor our customers, your risk of being impacted by the information disclosed is low if:\r\nYour device was purchased in December 2022 or after\r\nYour organization has consistently adhered to routine best practices in regularly refreshing security\r\ncredentials and taken the recommended actions in past Fortinet PSIRT Advisories\r\nFortinet recommends that customers:\r\nUpgrade to the latest patch release for your release train.\r\nValidate the FortiGate configuration to ensure that no unauthorized changes have been implemented by a\r\nmalicious third party.\r\nLook for the known IoCs document in the referenced Incidents (FG-IR-22-377 / FG-IR-18-384).\r\nFollow best practice recommendations for configuration.\r\nSource: https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting"
	],
	"report_names": [
		"analysis-of-threat-actor-data-posting"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6b8d925f49963ad25b38f6a0897a19c2d09e51f.pdf",
		"text": "https://archive.orkl.eu/c6b8d925f49963ad25b38f6a0897a19c2d09e51f.txt",
		"img": "https://archive.orkl.eu/c6b8d925f49963ad25b38f6a0897a19c2d09e51f.jpg"
	}
}