Massive "FortiBleed" Campaign Compromises Credentials for over 70,000 Fortinet Devices

Executive Summary

A massive and highly automated credential harvesting campaign, dubbed 'FortiBleed', has led to the compromise of administrative and SSL-VPN credentials for at least 73,932 Fortinet FortiGate devices worldwide. The operation, attributed to a Russian-speaking threat group, has affected organizations across 194 countries and over 21,000 unique domains. The attackers conducted a large-scale brute-force and credential stuffing attack, exfiltrated configuration files containing hashed credentials, and cracked them offline. Fortinet has stated this campaign does not leverage a new zero-day vulnerability but instead exploits poor security hygiene, such as weak or reused passwords and the absence of multi-factor authentication (MFA). The breach poses a significant threat, as compromised firewalls provide attackers with a direct entry point into corporate networks, enabling data theft, ransomware deployment, and lateral movement.

Threat Overview

The 'FortiBleed' campaign is a textbook example of leveraging weak credentials at scale. The threat actors systematically targeted internet-facing FortiGate firewalls and SSL-VPN gateways. Their primary method involved:

1. Mass Scanning & Brute-Force: Conducting over 1.16 billion automated login attempts against FortiGate devices.
2. Configuration Exfiltration: Stealing configuration files from vulnerable devices.
3. Offline Hash Cracking: Extracting SSL VPN authentication hashes (sslvpn_websession) from the configuration files and cracking them offline using a powerful 45-GPU cluster managed by Hashtopolis.
4. Credential Validation & Sale: Verifying the cracked credentials and likely selling them on underground forums or using them for direct network access.

Once initial access was gained via the compromised VPN or administrative accounts, attackers were observed pivoting into internal Active Directory environments to escalate their attacks.

Technical Analysis

The core of the attack does not rely on sophisticated exploits but on fundamental security failings. The attackers targeted the authentication mechanisms of FortiGate devices. The ability to grab configuration files suggests either the use of a prior vulnerability or the successful guessing of administrative credentials.

The most critical component was the offline cracking of password hashes. By exfiltrating the sslvpn_websession hashes, the attackers could use immense computational power without the risk of triggering lockout policies on the target devices. This highlights the danger of storing even hashed credentials in accessible configuration backups.

MITRE ATT&CK Techniques:

• T1110 - Brute Force: The attackers used brute force and credential stuffing against login interfaces.
• T1110.002 - Password Cracking: The use of a GPU cluster to crack exfiltrated password hashes offline is a clear example of this technique.
• T1078 - Valid Accounts: The ultimate goal and result of the campaign is the acquisition of valid administrative and VPN accounts.
• T1589.002 - Email Addresses: The attackers likely harvested email addresses from previous breaches to use in credential stuffing attacks.
• T1087.002 - Domain Account: Post-compromise, attackers pivoted to compromise internal Active Directory accounts.

Impact Assessment

The impact of this campaign is severe. A compromised firewall or VPN gateway is one of the most critical security failures an organization can experience. It grants attackers a trusted position on the network perimeter, from which they can:

• Monitor and Intercept Traffic: Capture sensitive data passing through the firewall.
• Lateral Movement: Pivot into the internal network to access servers, databases, and workstations.
• Deploy Ransomware: Use the initial foothold to deploy ransomware across the entire enterprise.
• Data Exfiltration: Steal intellectual property, customer data, and other sensitive information.

Given the targeting of critical infrastructure, government, and financial services, the potential for widespread disruption and significant financial loss is extremely high. The global scale of the compromise means that secondary attacks stemming from this campaign are likely to be seen for months or even years to come.

IOCs — Directly from Articles

No specific file hashes or C2 domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify related activity:

• Log Source: FortiGate System and Security Event Logs.
• Observable: A high volume of failed login attempts from single or multiple IP addresses against the administrative or SSL-VPN interfaces.
• Observable: Successful logins from geographically anomalous locations or outside of normal business hours.
• Observable: Any successful login using an account that does not have MFA enabled.
• Observable: Outbound connections from the FortiGate device to unknown or suspicious IP addresses, which could indicate exfiltration of configuration files.

Detection & Response

• Audit Logs: Immediately review FortiGate authentication logs for any successful logins that appear suspicious. Cross-reference login source IPs with threat intelligence feeds.
• Session Review: Terminate all active administrative and VPN user sessions to force re-authentication.
• EDR/NDR: Monitor internal network traffic for signs of lateral movement originating from IP addresses associated with VPN users. Look for unusual RDP, SMB, or WinRM activity.
• D3FEND Techniques: Implement D3-DAM: Domain Account Monitoring and D3-LAM: Local Account Monitoring to detect anomalous use of the compromised credentials within the network.

Mitigation

Fortinet and security researchers strongly recommend the following actions:

1. Enforce MFA: Immediately enable and enforce multi-factor authentication (MFA) for all administrative and SSL-VPN user accounts. This is the single most effective defense against this attack.
2. Reset All Credentials: Force a password reset for all FortiGate local users, especially administrative and VPN accounts. Ensure new passwords are long, complex, and unique.
3. Implement Strong Password Policies: Enforce policies that require complex passwords and regular rotation.
4. Upgrade Firmware: Update all Fortinet devices to the latest recommended firmware version to ensure all known vulnerabilities are patched.
5. Restrict Access: Limit access to the FortiGate management interface to a trusted set of source IP addresses. Do not expose the management interface directly to the internet if possible.