'FortiBleed' Credential Harvesting Campaign Compromises Over 430,000 Fortinet Devices

FortiBleed: Massive Campaign Harvests 110M Credentials from 430,000 FortiGate Firewalls

CRITICAL
June 25, 2026
July 2, 2026
6m read
CyberattackData BreachThreat Actor

Impact Scope

People Affected

Over 110 million credentials stolen from users of compromised networks

Industries Affected

TechnologyHealthcareFinanceGovernmentEducationManufacturing

Geographic Impact

United StatesIndia (global)

Related Entities(initial)

Threat Actors

Initial Access Broker (IAB)

Organizations

Fortinet SOCRadar

Products & Tech

FortiGateMasscan

Other

FortigateSniffer

Full Report(when first published)

Executive Summary

A large-scale, financially motivated credential harvesting operation, named "FortiBleed," has been systematically compromising Fortinet FortiGate firewalls on a global scale. Since at least February 2026, the campaign, attributed to a Russian-speaking initial access broker (IAB), has breached over 430,000 devices and exfiltrated more than 110 million credentials. The attack does not leverage a specific vulnerability. Instead, it relies on a highly automated pipeline to conduct credential stuffing and brute-force attacks against internet-facing FortiGate management interfaces that are secured with weak or default passwords and lack MFA. Once initial access is gained, the attackers deploy a custom Go-based network sniffer, FortigateSniffer, which abuses a built-in diagnostic command to passively capture credentials for a wide range of protocols. The harvested data is then sold to other cybercriminals, primarily as a precursor to ransomware attacks.


Threat Overview

The FortiBleed campaign is a prime example of the industrialization of cybercrime, using a sophisticated, five-phase automated pipeline to harvest credentials at scale.

  1. Reconnaissance: The IAB uses mass scanning tools like Masscan and Shodan_Recon to identify internet-exposed FortiGate firewall management interfaces.
  2. Initial Access: Using large credential dictionaries and brute-forcing tools (mpbrute2.bin), the pipeline systematically attempts to log in to the identified devices. This phase targets the low-hanging fruit: devices with weak, default, or previously breached passwords.
  3. Deployment: Upon successful login, the automation deploys the custom FortigateSniffer tool to the compromised device.
  4. Credential Harvesting: The FortigateSniffer tool executes a legitimate FortiOS diagnostic command (diagnose sniffer packet any ...) to capture network traffic passing through the firewall. It is configured to filter for authentication traffic for 24 different protocols, including NTLM, Kerberos, RADIUS, LDAP, POP3, IMAP, and various database protocols.
  5. Exfiltration and Monetization: The captured credentials are exfiltrated to an attacker-controlled server. The IAB then packages this access and data for sale on dark web forums, providing a turnkey entry point for ransomware gangs and other threat actors.

Technical Analysis

This campaign is a masterclass in exploiting poor security hygiene rather than software flaws. The primary initial access vector is T1110.003 - Brute Force: Password Spraying and T1110.001 - Brute Force: Password Guessing. The attackers are not breaking the software; they are simply walking in through unlocked doors.

Once inside, the core of the operation is T1040 - Network Sniffing. The attackers cleverly abuse a legitimate, built-in administrative tool to achieve this, a technique known as Living off the Land (T1059.004 - Command and Scripting Interpreter: Unix Shell to run the diagnostic command). This makes the malicious activity difficult to distinguish from normal administrative actions, providing a high degree of stealth.

The ultimate goal is credential access on a massive scale. The sniffer targets a wide array of credentials, falling under T1003 - OS Credential Dumping and its sub-techniques, as it captures credentials for domain accounts (NTLM, Kerberos) and other services. The entire operation serves as a prelude to more severe attacks, with the IAB acting as a specialist for T1078 - Valid Accounts which are then sold to ransomware operators.

The success of FortiBleed is a sobering reminder that even the most secure network appliances are only as strong as the passwords and policies used to protect them.


Impact Assessment

The compromise of a perimeter firewall like FortiGate is a worst-case scenario for network security. The impact is catastrophic:

  • Total Loss of Confidentiality: The attackers can intercept any unencrypted traffic passing through the firewall, including sensitive internal communications and data.
  • Massive Credential Compromise: The theft of 110 million credentials provides attackers with keys to countless other systems, both internal and external. This includes domain administrator credentials, database logins, and email accounts.
  • Pathway to Ransomware: The primary impact is that the compromised networks are now primed for ransomware attacks. The IAB sells this access to ransomware affiliates, who can then bypass perimeter defenses and begin moving laterally inside the network immediately.
  • Widespread Targeting: The campaign affects a broad range of sectors, including IT service providers (MSPs), healthcare, finance, and government. A compromised MSP could lead to downstream breaches of all their clients, creating a massive supply chain attack.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to identify FortiBleed activity:

Type
command_line_pattern
Value
diagnose sniffer packet
Description
Monitor for the execution of the FortiOS packet sniffing command, especially if it runs for extended periods or is initiated by a suspicious login session.
Type
process_name
Value
FortigateSniffer
Description
The name of the custom Go-based tool. Hunt for this process name or associated file on the firewall's filesystem.
Type
log_source
Value
FortiGate Admin Login Logs
Description
Look for a high volume of failed login attempts from a single IP, or successful logins from geographically anomalous locations.
Type
network_traffic_pattern
Value
Outbound connections from firewall mgmt interface
Description
The management interface of a firewall should have very limited, if any, outbound internet connectivity. Any unexpected outbound traffic could be data exfiltration.

Detection & Response

  • Audit CLI Sessions: Review FortiGate audit logs for any execution of the diagnose sniffer packet command. Legitimate use is typically for short-term troubleshooting. Any long-running or recurring instances are highly suspicious.
  • Check for Rogue Processes/Files: Log in to the firewall CLI and check for the presence of the FortigateSniffer file or any other unrecognized binaries in writable directories.
  • Review Admin Logins: Analyze administrative login logs for signs of brute-forcing (many failed attempts) or successful logins from untrusted IP addresses. (D3FEND: D3-ANET - Authentication Event Thresholding)
  • Incident Response: If a compromise is suspected, immediately change all administrative passwords on the device, terminate all active sessions, and enforce MFA. Since the sniffer captures credentials passing through the firewall, a full-scale credential rotation for all domain and service accounts is strongly recommended.

Mitigation

  1. Enforce Strong, Unique Passwords: The entire campaign is predicated on weak passwords. Enforce a strong password policy for all administrative accounts on network devices. Do not use default or easily guessable passwords. (D3FEND: D3-SPP - Strong Password Policy)
  2. Mandate Multi-Factor Authentication (MFA): This is the single most effective mitigation. Enforce phishing-resistant MFA for all administrative access to FortiGate devices. This would have stopped the initial access phase of the campaign entirely. (D3FEND: D3-MFA - Multi-factor Authentication)
  3. Restrict Management Interface Access: Never expose firewall management interfaces to the public internet. Access should be restricted via strict firewall rules to a dedicated, internal management network or jump host.
  4. Regularly Rotate Credentials: Implement a policy for regular rotation of all privileged credentials, especially for critical network infrastructure.

Timeline of Events

1
February 1, 2026
The 'FortiBleed' campaign is believed to have started.
2
June 24, 2026
Security researchers publish details about the massive FortiBleed campaign.
3
June 25, 2026
This article was published

Article Updates

July 2, 2026

FortiBleed campaign directly linked to INC and Lynx ransomware groups, with stolen credentials facilitating at least 12 ransomware deployments.

MITRE ATT&CK Mitigations

Enforcing MFA on all administrative interfaces is the single most effective control to prevent the initial access vector used in this campaign.

Mapped D3FEND Techniques:

Implementing and enforcing a strong password policy prevents attackers from succeeding with brute-force and password guessing attacks.

Mapped D3FEND Techniques:

Restricting access to management interfaces from the internet drastically reduces the attack surface available to automated scanners.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Auditing for suspicious command usage and login patterns is crucial for detecting this type of 'living off the land' attack.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The FortiBleed campaign's success hinges entirely on the absence of MFA. The most critical and immediate countermeasure is to enable and enforce phishing-resistant MFA for all administrative access to FortiGate devices. This includes the web GUI, SSH, and any other management protocols. By requiring a second factor, attackers' automated credential stuffing and brute-force attacks are rendered ineffective, even if they possess a valid password. Organizations should prioritize FortiGate devices with internet-exposed management interfaces. This single control would have prevented the initial access phase of this entire campaign, demonstrating its immense value as a foundational security measure.

To defend against the brute-force and password guessing techniques at the core of FortiBleed, a strong password policy is essential. This policy should be enforced on all FortiGate local administrator accounts. It must mandate long passwords (e.g., 15+ characters), complexity (including uppercase, lowercase, numbers, and symbols), and a history to prevent reuse. Crucially, organizations must audit for and eliminate all default or weak passwords (e.g., 'fortinet', 'admin'). Combining this with an account lockout policy (e.g., locking an account for 15 minutes after 5 failed attempts) can significantly slow down and deter automated brute-force attacks, making them impractical for attackers.

To detect the brute-force attempts characteristic of the FortiBleed campaign, security teams must implement authentication event thresholding. This involves forwarding FortiGate authentication logs to a SIEM and creating rules that alert on a high volume of failed login attempts from a single source IP address within a short time window. For example, an alert could trigger if more than 10 failed logins occur from one IP in under a minute. Additionally, create rules to detect password spraying: multiple failed logins for different usernames originating from the same IP. These alerts provide an early warning of an active attack, allowing security teams to block the source IP before a successful breach occurs.

Timeline of Events

1
February 1, 2026

The 'FortiBleed' campaign is believed to have started.

2
June 24, 2026

Security researchers publish details about the massive FortiBleed campaign.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

FortiBleedFortinetFortiGateCredential HarvestingInitial Access BrokerBrute ForceMFA

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.