The 'FortiBleed' campaign targeted approximately 74,000 internet-facing Fortinet FortiGate firewalls across 194 countries. Threat actors exploited an open directory vulnerability or misconfiguration to extract configuration files containing authentication hashes. Utilizing a specialized 45-GPU cluster, attackers conducted an estimated 1.16 billion brute-force attempts to crack these hashes, gaining unauthorized administrator and SSL VPN access. This initial perimeter breach served as a gateway for lateral movement into internal enterprise networks, specifically targeting Active Directory (AD) for privilege escalation and full domain compromise.
-
Incident Overview: Global FortiGate Compromise
- Impacted an estimated 73,932 devices across 194 countries, representing a significant portion of internet-facing FortiGate deployments.
- Primary targets included administrator credentials and SSL VPN access tokens.
- Coordinated intelligence from Arctic Wolf, CISA, and Cloudsek identified the campaign as a systematic, industrial-scale operation.
-
Attack Vector: Configuration Extraction
- Exploited "open directory" vulnerabilities or critical misconfigurations on internet-facing units to leak system files.
- Focused on extracting configuration files containing stored authentication hashes for offline analysis.
- Bypassed active perimeter defenses by shifting the attack surface from live authentication attempts to offline decryption.
-
Threat Actor Infrastructure: High-Performance Cracking
- Deployed a dedicated 45-GPU cluster to facilitate large-scale hash decryption.
- Executed approximately 1.16 billion brute-force attempts to verify stolen credentials.
- Attributed by investigators to a sophisticated, likely Russian-speaking threat group.
-
Post-Exploitation: Lateral Movement & AD Escalation
- Leveraged cracked SSL VPN and admin credentials to establish authorized entry into protected networks.
- Utilized the FortiGate gateway as a pivot point to move laterally into internal environments.
- Specifically targeted Active Directory (AD) environments to escalate privileges and expand the foothold within the enterprise.
-
Defensive Actions: Mitigation & Hardening
- Immediate audit of all internet-facing FortiGate devices for open directory exposures and unauthorized configuration access.
- Mandatory reset of all administrator and SSL VPN passwords to invalidate leaked credentials.
- Enforcement of Multi-Factor Authentication (MFA) across all remote access points to mitigate the risk of credential reuse.
Related posts
- Cyberscoop
- bleepingcomputer.com — Check Point links VPN zero-day attacks to Qilin ransomware gang
- SC Media — Check Point patches critical VPN flaw exploited in zero-day attacks
- Cybersecuritydive
- Techrepublic
- arcticwolf.com — Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries
- techjacksolutions.com — FortiBleed: ~73,000 FortiGate Credentials Exposed Across Half the Internet-Facing Fortinet Population
- Socradar
- helpnetsecurity.com — 74,000 Fortinet firewall credentials exposed in FortiBleed data leak
- bleepingcomputer.com — CISA warns Fortinet users to secure devices after FortiBleed leak
- itpro.com — Passwords nicked for nearly 74,000 Fortinet devices
- SOCFortress — FortiBleed: Global Compromise of 75,000 Fortinet Firewalls
- Squirrelvpn
- Youtube
- Socradar
- Itsc
- Csc
- helpnetsecurity.com — Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
- Fortinet
- Support
- Doublepulsar
- Censys
- Shattered
- Fortifiedhealthsecurity
- Labs
- Security Affairs — FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
- techjacksolutions.com — Weekly Security Intelligence Briefing — Week of 2026-06-22
- bleepingcomputer.com — FortiBleed campaign used custom FortiGate sniffer to steal credentials
- Industrialcyber
- Cybersecurity News — Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
- Techloghub
- gbhackers.com — FortiBleed Campaign Uses FortigateSniffer to Harvest 110 Million Credentials From Fortinet Firewalls
- 1898andco
- Industrialdefender
- arcticwolf.com — Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
- Malware News — Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
- cybrsecmedia.com — FortiBleed Is Bigger Than A Fortinet Password Leak
- Rodtrent
- blackhatnews.tokyo
- Security Affairs — 430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link
- SecurityWeek — FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks
- Dark Reading — Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
- Dark Reading — FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
- Zscaler
- Unit42
- Atos
- Kudelskisecurity
- Hudsonrock
- Csoonline
- Hkcert
- Cloudsek
- Securityweek
- Op-c
- Bitsight
- Cyber
- Recordedfuture
- Cypro
- Rodtrent
- Waterisac
- Computing
- Securityaffairs
- Spycloud
- Bankinfosecurity
- Thrivenextgen
- Fortiguard
- Rapid7
- Unit 42 (Palo Alto Networks) — Threat Brief: Mitigating Large-Scale Credential Attacks
- Fortiguard
- Accuknox
- Digital
- Fortiguard
- bleepingcomputer.com — Critical Fortinet FortiSandbox flaws now exploited in attacks
- feeds.feedburner.com — Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
- threatprotect.qualys.com — Fortinet FortiSandbox Vulnerability Exploited by Attackers (CVE-2026-39808, CVE-2026-25089, & CVE-2026-39813)
- Cyberscoop
- CISA Cybersecurity Advisories — CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
- cybelangel.com — 6 Things to Know About the FortiBleed Credential Campaign
- Greenbone
- Industrial Cyber — Global cybersecurity agencies warn of credential exposure in FortiBleed campaign targeting Fortinet firewalls, VPN gateways
- cybersecuritydive.com — CISA urges device hardening after thousands of Fortinet credentials compromised
- Csa
- Dataprise
- Fieldeffect
- Sentinelone
- Cisecurity
- Linuxsecurity
- Lumu
- feeds.feedburner.com — FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
- cybersecuritydive.com — FortiBleed campaign traced to INC and Lynx ransomware operations
- Exchange
- Orca
- Eclypsium
- Socradar