FortiBleed: Mass Credential Theft Targeting FortiGate VPNs
The FortiBleed campaign leverages a suspected zero-day vulnerability in FortiGate VPN devices to facilitate mass credential theft. This operation serves as a dedicated initial access pipeline for the INC and Lynx ransomware groups, orchestrated by a single operator managing both the exploit infrastructure and ransomware negotiation panels. The campaign results in high-velocity deployment of ransomware following the compromise of verified VPN credentials, bypassing traditional perimeter defenses. Impact is characterized by widespread unauthorized access to corporate environments and subsequent data encryption.
Fortinet FortiGate: Industrial-Scale 'FortiBleed' Credential Exposure
The 'FortiBleed' campaign targeted approximately 74,000 internet-facing Fortinet FortiGate firewalls across 194 countries. Threat actors exploited an open directory vulnerability or misconfiguration to extract configuration files containing authentication hashes. Utilizing a specialized 45-GPU cluster, attackers conducted an estimated 1.16 billion brute-force attempts to crack these hashes, gaining unauthorized administrator and SSL VPN access. This initial perimeter breach served as a gateway for lateral movement into internal enterprise networks, specifically targeting Active Directory (AD) for privilege escalation and full domain compromise.