CISA Issues Urgent Advisory as 'FortiBleed' Campaign Compromises Over 86,000 Fortinet Devices Globally

Executive Summary

A large-scale credential theft campaign, publicly tracked as FortiBleed, has resulted in the compromise of at least 86,000 Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. The incident, attributed to a Russian-speaking threat actor, does not leverage a new vulnerability but rather capitalizes on poor credential hygiene and legacy password hashing mechanisms. The threat actor amassed credentials from various sources, including previous data breaches and infostealer malware logs, and successfully cracked them to gain unauthorized access. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory directing organizations to immediately harden their Fortinet appliances by rotating all credentials, enabling MFA, and auditing for lateral movement.

Threat Overview

The FortiBleed campaign represents a significant threat to organizations relying on Fortinet security appliances. The core of the attack is a massive credential stuffing and cracking operation. Threat actors collected a large dataset of credentials associated with FortiGate devices and utilized a 45-GPU cluster managed with the Hashtopolis tool to crack password hashes. The success of this campaign is largely attributed to two factors: the use of weak or default passwords by administrators and the exploitation of older, less secure hashing algorithms previously used in FortiGate configuration files.

Once valid credentials were obtained, the attackers gained access to the SSL VPN and administrative interfaces of the firewalls. This initial foothold was then used to deploy post-exploitation tools like Chisel and Neo-reGeorg for tunneling traffic and facilitating lateral movement into the internal corporate networks. The most affected sectors include telecommunications, government, and education, with a high concentration of compromised devices in India, the U.S., Mexico, Colombia, and Thailand.

Technical Analysis

The attack chain is straightforward but highly effective, relying on operational security failures rather than sophisticated exploits.

1. Credential Acquisition: The threat actor gathered credentials from publicly available data breaches and underground marketplaces where logs from infostealer malware are sold.
2. Password Cracking: The attackers targeted SSL VPN authentication hashes. Using a powerful GPU cluster, they brute-forced these hashes to recover plaintext passwords. The success rate was high due to the use of weak hashing algorithms in older FortiOS versions and users choosing simple, guessable passwords.
3. Initial Access: Armed with valid credentials, the attackers logged into the FortiGate SSL VPN portals. According to analysis from SOCRadar, 35% of the compromised accounts were generic 'admin' accounts, and 28.3% were other built-in system accounts, indicating a widespread failure to change default settings. This aligns with MITRE ATT&CK T1078 - Valid Accounts.
4. Post-Exploitation: After gaining access, attackers were observed using tunneling tools like Chisel and Neo-reGeorg to establish persistent access and pivot into the internal network. This corresponds to T1572 - Protocol Tunneling. This allows them to bypass perimeter defenses and move laterally, as described in T1021 - Remote Services.

The core issue is the historical use of weaker hashing mechanisms for credentials in FortiGate configuration files. While newer versions use PBKDF2, many devices may still have accounts with legacy hashes if they were created on older firmware and never updated.

Impact Assessment

The business impact of a compromised edge security appliance is severe. Attackers with administrative access to a FortiGate firewall can:

• Decrypt and monitor all network traffic passing through the device.
• Disable security policies to allow malicious traffic into the network.
• Create VPN tunnels to exfiltrate sensitive data or establish a covert command-and-control channel.
• Use the firewall as a pivot point to launch attacks against internal assets, including domain controllers and critical servers.
• Deploy ransomware across the entire network.

The reputational damage and regulatory fines resulting from a data breach originating from this vector can be substantial. The cost of incident response, forensic analysis, and remediation adds significant financial strain.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate related activity:

Detection & Response

Detection:

• Log Analysis: Ingest FortiGate event logs into a SIEM. Create alerts for multiple failed login attempts followed by a success from the same IP address. Monitor for logins from geographically impossible locations or non-standard user agents. D3FEND's Domain Account Monitoring (D3-DAM) is relevant here.
• Network Traffic Analysis: Monitor traffic originating from the firewall's management interface. Any connections to external, non-Fortinet IP addresses are highly suspicious. D3FEND's Network Traffic Analysis (D3-NTA) can help identify anomalous patterns.
• Configuration Auditing: Regularly audit FortiGate configurations for legacy user accounts, accounts with weak passwords, and overly permissive firewall rules.

Response:

1. Immediately terminate all active SSL VPN and administrative sessions.
2. Isolate potentially compromised devices from the network to prevent further lateral movement.
3. Preserve logs and a snapshot of the device for forensic analysis.
4. Reset passwords for ALL administrative and SSL VPN user accounts, enforcing a strong complexity policy.
5. Begin a hunt for signs of lateral movement within the internal network, looking for the use of tools like Chisel or unusual activity from service accounts.

Mitigation

Immediate Actions:

• Rotate All Credentials: Immediately reset all local user, administrator, and VPN user passwords on all Fortinet devices.
• Enable MFA: Enforce phishing-resistant Multi-factor Authentication (M1032) for all administrative and VPN accounts. This is the single most effective mitigation.
• Restrict Access: Apply the principle of least privilege. Restrict access to the SSL VPN and administrative interfaces to trusted IP address ranges. Do not expose management interfaces to the public internet. This aligns with M1035 - Limit Access to Resource Over Network.

Strategic Improvements:

• Credential Hygiene: Implement and enforce a strong password policy. Eliminate default accounts like 'admin' and use named administrator accounts. This is a key part of M1026 - Privileged Account Management.
• Update Hashing Algorithm: Ensure all administrator credentials are being stored using PBKDF2. This can be verified with the command show system admin. If any accounts are using the legacy format, they must be reset.
• Regular Auditing: Implement a regular schedule for auditing firewall rules, user accounts, and device configurations. This falls under M1047 - Audit.