Over 110 million credentials stolen from users of compromised networks
A large-scale, financially motivated credential harvesting operation, named "FortiBleed," has been systematically compromising Fortinet FortiGate firewalls on a global scale. Since at least February 2026, the campaign, attributed to a Russian-speaking initial access broker (IAB), has breached over 430,000 devices and exfiltrated more than 110 million credentials. The attack does not leverage a specific vulnerability. Instead, it relies on a highly automated pipeline to conduct credential stuffing and brute-force attacks against internet-facing FortiGate management interfaces that are secured with weak or default passwords and lack MFA. Once initial access is gained, the attackers deploy a custom Go-based network sniffer, FortigateSniffer, which abuses a built-in diagnostic command to passively capture credentials for a wide range of protocols. The harvested data is then sold to other cybercriminals, primarily as a precursor to ransomware attacks.
The FortiBleed campaign is a prime example of the industrialization of cybercrime, using a sophisticated, five-phase automated pipeline to harvest credentials at scale.
Masscan and Shodan_Recon to identify internet-exposed FortiGate firewall management interfaces.mpbrute2.bin), the pipeline systematically attempts to log in to the identified devices. This phase targets the low-hanging fruit: devices with weak, default, or previously breached passwords.FortigateSniffer tool to the compromised device.FortigateSniffer tool executes a legitimate FortiOS diagnostic command (diagnose sniffer packet any ...) to capture network traffic passing through the firewall. It is configured to filter for authentication traffic for 24 different protocols, including NTLM, Kerberos, RADIUS, LDAP, POP3, IMAP, and various database protocols.This campaign is a masterclass in exploiting poor security hygiene rather than software flaws. The primary initial access vector is T1110.003 - Brute Force: Password Spraying and T1110.001 - Brute Force: Password Guessing. The attackers are not breaking the software; they are simply walking in through unlocked doors.
Once inside, the core of the operation is T1040 - Network Sniffing. The attackers cleverly abuse a legitimate, built-in administrative tool to achieve this, a technique known as Living off the Land (T1059.004 - Command and Scripting Interpreter: Unix Shell to run the diagnostic command). This makes the malicious activity difficult to distinguish from normal administrative actions, providing a high degree of stealth.
The ultimate goal is credential access on a massive scale. The sniffer targets a wide array of credentials, falling under T1003 - OS Credential Dumping and its sub-techniques, as it captures credentials for domain accounts (NTLM, Kerberos) and other services. The entire operation serves as a prelude to more severe attacks, with the IAB acting as a specialist for T1078 - Valid Accounts which are then sold to ransomware operators.
The success of FortiBleed is a sobering reminder that even the most secure network appliances are only as strong as the passwords and policies used to protect them.
The compromise of a perimeter firewall like FortiGate is a worst-case scenario for network security. The impact is catastrophic:
Security teams may want to hunt for the following patterns to identify FortiBleed activity:
command_line_patterndiagnose sniffer packetprocess_nameFortigateSnifferlog_sourceFortiGate Admin Login Logsnetwork_traffic_patternOutbound connections from firewall mgmt interfacediagnose sniffer packet command. Legitimate use is typically for short-term troubleshooting. Any long-running or recurring instances are highly suspicious.FortigateSniffer file or any other unrecognized binaries in writable directories.D3-ANET - Authentication Event Thresholding)D3-SPP - Strong Password Policy)D3-MFA - Multi-factor Authentication)FortiBleed campaign directly linked to INC and Lynx ransomware groups, with stolen credentials facilitating at least 12 ransomware deployments.
Enforcing MFA on all administrative interfaces is the single most effective control to prevent the initial access vector used in this campaign.
Mapped D3FEND Techniques:
Implementing and enforcing a strong password policy prevents attackers from succeeding with brute-force and password guessing attacks.
Mapped D3FEND Techniques:
Restricting access to management interfaces from the internet drastically reduces the attack surface available to automated scanners.
Mapped D3FEND Techniques:
The FortiBleed campaign's success hinges entirely on the absence of MFA. The most critical and immediate countermeasure is to enable and enforce phishing-resistant MFA for all administrative access to FortiGate devices. This includes the web GUI, SSH, and any other management protocols. By requiring a second factor, attackers' automated credential stuffing and brute-force attacks are rendered ineffective, even if they possess a valid password. Organizations should prioritize FortiGate devices with internet-exposed management interfaces. This single control would have prevented the initial access phase of this entire campaign, demonstrating its immense value as a foundational security measure.
To defend against the brute-force and password guessing techniques at the core of FortiBleed, a strong password policy is essential. This policy should be enforced on all FortiGate local administrator accounts. It must mandate long passwords (e.g., 15+ characters), complexity (including uppercase, lowercase, numbers, and symbols), and a history to prevent reuse. Crucially, organizations must audit for and eliminate all default or weak passwords (e.g., 'fortinet', 'admin'). Combining this with an account lockout policy (e.g., locking an account for 15 minutes after 5 failed attempts) can significantly slow down and deter automated brute-force attacks, making them impractical for attackers.
To detect the brute-force attempts characteristic of the FortiBleed campaign, security teams must implement authentication event thresholding. This involves forwarding FortiGate authentication logs to a SIEM and creating rules that alert on a high volume of failed login attempts from a single source IP address within a short time window. For example, an alert could trigger if more than 10 failed logins occur from one IP in under a minute. Additionally, create rules to detect password spraying: multiple failed logins for different usernames originating from the same IP. These alerts provide an early warning of an active attack, allowing security teams to block the source IP before a successful breach occurs.
The 'FortiBleed' campaign is believed to have started.
Security researchers publish details about the massive FortiBleed campaign.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.