← Back to Daily Briefing

The 'FortiBleed' campaign targeted approximately 74,000 internet-facing Fortinet FortiGate firewalls across 194 countries. Threat actors exploited an open directory vulnerability or misconfiguration to extract configuration files containing authentication hashes. Utilizing a specialized 45-GPU cluster, attackers conducted an estimated 1.16 billion brute-force attempts to crack these hashes, gaining unauthorized administrator and SSL VPN access. This initial perimeter breach served as a gateway for lateral movement into internal enterprise networks, specifically targeting Active Directory (AD) for privilege escalation and full domain compromise.

  • Incident Overview: Global FortiGate Compromise

    • Impacted an estimated 73,932 devices across 194 countries, representing a significant portion of internet-facing FortiGate deployments.
    • Primary targets included administrator credentials and SSL VPN access tokens.
    • Coordinated intelligence from Arctic Wolf, CISA, and Cloudsek identified the campaign as a systematic, industrial-scale operation.
  • Attack Vector: Configuration Extraction

    • Exploited "open directory" vulnerabilities or critical misconfigurations on internet-facing units to leak system files.
    • Focused on extracting configuration files containing stored authentication hashes for offline analysis.
    • Bypassed active perimeter defenses by shifting the attack surface from live authentication attempts to offline decryption.
  • Threat Actor Infrastructure: High-Performance Cracking

    • Deployed a dedicated 45-GPU cluster to facilitate large-scale hash decryption.
    • Executed approximately 1.16 billion brute-force attempts to verify stolen credentials.
    • Attributed by investigators to a sophisticated, likely Russian-speaking threat group.
  • Post-Exploitation: Lateral Movement & AD Escalation

    • Leveraged cracked SSL VPN and admin credentials to establish authorized entry into protected networks.
    • Utilized the FortiGate gateway as a pivot point to move laterally into internal environments.
    • Specifically targeted Active Directory (AD) environments to escalate privileges and expand the foothold within the enterprise.
  • Defensive Actions: Mitigation & Hardening

    • Immediate audit of all internet-facing FortiGate devices for open directory exposures and unauthorized configuration access.
    • Mandatory reset of all administrator and SSL VPN passwords to invalidate leaked credentials.
    • Enforcement of Multi-Factor Authentication (MFA) across all remote access points to mitigate the risk of credential reuse.

Related posts

  1. Cyberscoop
  2. bleepingcomputer.com — Check Point links VPN zero-day attacks to Qilin ransomware gang
  3. SC Media — Check Point patches critical VPN flaw exploited in zero-day attacks
  4. Cybersecuritydive
  5. Techrepublic
  6. arcticwolf.com — Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries
  7. techjacksolutions.com — FortiBleed: ~73,000 FortiGate Credentials Exposed Across Half the Internet-Facing Fortinet Population
  8. Socradar
  9. helpnetsecurity.com — 74,000 Fortinet firewall credentials exposed in FortiBleed data leak
  10. bleepingcomputer.com — CISA warns Fortinet users to secure devices after FortiBleed leak
  11. itpro.com — Passwords nicked for nearly 74,000 Fortinet devices
  12. SOCFortress — FortiBleed: Global Compromise of 75,000 Fortinet Firewalls
  13. Squirrelvpn
  14. Youtube
  15. Socradar
  16. Itsc
  17. Reddit
  18. Csc
  19. Reddit
  20. helpnetsecurity.com — Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
  21. Fortinet
  22. Support
  23. Doublepulsar
  24. Censys
  25. Shattered
  26. Fortifiedhealthsecurity
  27. Labs
  28. Security Affairs — FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
  29. techjacksolutions.com — Weekly Security Intelligence Briefing — Week of 2026-06-22
  30. bleepingcomputer.com — FortiBleed campaign used custom FortiGate sniffer to steal credentials
  31. Industrialcyber
  32. Cybersecurity News — Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
  33. Reddit
  34. Techloghub
  35. gbhackers.com — FortiBleed Campaign Uses FortigateSniffer to Harvest 110 Million Credentials From Fortinet Firewalls
  36. 1898andco
  37. Industrialdefender
  38. arcticwolf.com — Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
  39. Malware News — Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
  40. cybrsecmedia.com — FortiBleed Is Bigger Than A Fortinet Password Leak
  41. Rodtrent
  42. blackhatnews.tokyo
  43. Security Affairs — 430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link
  44. SecurityWeek — FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks
  45. Dark Reading — Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
  46. Dark Reading — FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
  47. Zscaler
  48. Unit42
  49. Atos
  50. Kudelskisecurity
  51. Hudsonrock
  52. Csoonline
  53. Hkcert
  54. Cloudsek
  55. Securityweek
  56. Reddit
  57. Op-c
  58. Bitsight
  59. Cyber
  60. Recordedfuture
  61. Cypro
  62. Rodtrent
  63. Waterisac
  64. Computing
  65. Securityaffairs
  66. Spycloud
  67. Bankinfosecurity
  68. Thrivenextgen
  69. Fortiguard
  70. Rapid7
  71. Unit 42 (Palo Alto Networks) — Threat Brief: Mitigating Large-Scale Credential Attacks
  72. Fortiguard
  73. Accuknox
  74. Digital
  75. Fortiguard
  76. bleepingcomputer.com — Critical Fortinet FortiSandbox flaws now exploited in attacks
  77. feeds.feedburner.com — Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
  78. Reddit
  79. threatprotect.qualys.com — Fortinet FortiSandbox Vulnerability Exploited by Attackers (CVE-2026-39808, CVE-2026-25089, & CVE-2026-39813)
  80. Cyberscoop
  81. CISA Cybersecurity Advisories — CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
  82. cybelangel.com — 6 Things to Know About the FortiBleed Credential Campaign
  83. Greenbone
  84. Industrial Cyber — Global cybersecurity agencies warn of credential exposure in FortiBleed campaign targeting Fortinet firewalls, VPN gateways
  85. cybersecuritydive.com — CISA urges device hardening after thousands of Fortinet credentials compromised
  86. Csa
  87. Dataprise
  88. Fieldeffect
  89. Sentinelone
  90. Cisecurity
  91. Linuxsecurity
  92. Lumu
  93. feeds.feedburner.com — FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
  94. cybersecuritydive.com — FortiBleed campaign traced to INC and Lynx ransomware operations
  95. Exchange
  96. Orca
  97. Eclypsium
  98. Socradar

LINK COPIED TO CLIPBOARD