Executive Summary
The FortiBleed campaign represents a highly sophisticated, large-scale credential harvesting operation targeting FortiGate firewalls globally. Since early 2026, a Russian-speaking, financially motivated Initial Access Broker (IAB) has compromised over 430,000 FortiGate devices, resulting in the theft of more than 110 million credentials, including cleartext and hashed passwords for protocols such as RADIUS, NTLM, Kerberos, and MySQL. The attackers leveraged a multi-stage, automated pipeline involving reconnaissance, brute-force attacks, deployment of custom sniffers, and distributed hash cracking infrastructure. The campaign’s primary targets are small and medium businesses (SMBs) and IT service providers, with a significant concentration in the United States and India. The operation’s scale, automation, and focus on credential feedback loops make it one of the most impactful credential harvesting campaigns against network perimeter devices to date.
Threat Actor Profile
The threat actor behind FortiBleed is a Russian-speaking Initial Access Broker (IAB) operating with clear financial motivation. This group is not currently attributed to a specific Advanced Persistent Threat (APT) designation but demonstrates a high degree of operational discipline and technical sophistication. The actor’s modus operandi includes automated mass scanning, credential stuffing, brute-force attacks, deployment of custom sniffers, and the use of distributed GPU-based hash cracking managed via Telegram bots and custom control panels. The group operates primarily during Moscow business hours and employs geofencing to restrict operations to specific IP ranges. The actor is also known to sell access to compromised Fortinet devices on underground forums, with prices ranging from $30,000 to $60,000 per batch, and has been observed targeting other vendors such as Synology, Sophos, Citrix, and Microsoft.
Technical Analysis of Malware/TTPs
The FortiBleed attack chain is characterized by a modular, automated workflow:
Reconnaissance is performed using tools such as Masscan, Shodan, a custom utility named FortiProbe-fast, and GeoSplit to identify and categorize vulnerable, internet-facing FortiGate firewalls by geography. The initial compromise phase utilizes a tool called forticheck to brute-force admin panels and SSL-VPN portals, leveraging credential stuffing and dictionary attacks for SSH access. Once access is obtained, the attackers deploy a custom FortigateSniffer (written in Golang for both Windows and Unix environments), which exploits the FortiOS built-in diagnostic command diagnose sniffer packet to capture authentication traffic across 24 protocols, including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS.
Harvested credentials and hashes are processed through a distributed hash cracking infrastructure using tools such as Hashmat, Hashtopolis, and a Telegram bot named HASHBOT. Cracked credentials are validated and used for lateral movement, including Active Directory enumeration, Kerberos validation, and SMB authentication. The attackers maintain persistence by stealing session cookies and planting backdoor accounts, such as the repeated use of the adminin:ITAdmin@888 credential pair found on thousands of devices. Data exfiltration is achieved through automated scripts that recursively read and transfer data from network shares.
The campaign’s automation is further enhanced by a credential feedback loop, where each successful compromise yields additional credentials and hashes, fueling further exploitation. The attackers’ infrastructure is highly resilient, leveraging distributed GPU resources and automated orchestration via Telegram bots. The operation is tightly controlled, with activity restricted to Moscow business hours and specific IP ranges to minimize detection.
Exploitation in the Wild
FortiBleed has been observed in active exploitation since February 2026, with a significant uptick in activity between May 31 and June 15, 2026, during which 659 credential harvesting pipelines were launched. The attackers did not rely on zero-day vulnerabilities; instead, they exploited weak, default, or reused credentials, as well as credentials obtained from previous breaches. Notably, no new CVE was involved in the main campaign, although the related CVE-2026-24858 (a FortiCloud SSO authentication bypass) was exploited in some cases.
Compromised credentials and access to Fortinet devices have been widely advertised on underground forums by actors such as "SantaAd," with access to thousands of devices sold in bulk. The attackers have also targeted other vendors, including Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers, indicating a broad, multi-vendor campaign.
Victim organizations have reported unauthorized SSH and SSL-VPN logins from Russian IP addresses, particularly during Moscow business hours. Forensic analysis has revealed the presence of attacker-planted backdoor accounts, bulk recursive reads on SMB shares, and outbound SSH transfer patterns consistent with automated data exfiltration.
Victimology and Targeting
The primary victims of FortiBleed are small and medium businesses (SMBs) with fewer than 200 employees and IT service providers, particularly those based in the United States and India. The attackers have demonstrated a preference for targeting organizations with internet-facing FortiGate firewalls running outdated or unpatched versions of FortiOS. Compromised IT service providers are often used as access vectors into their customer environments, amplifying the campaign’s impact through supply chain compromise.
The campaign has affected organizations across at least 194 countries, with a multi-sector impact that includes healthcare, finance, education, manufacturing, and government entities. The attackers’ use of credential feedback loops and automated exploitation pipelines has enabled them to rapidly scale their operations and compromise a vast number of organizations in a short period.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by FortiBleed. Organizations should rotate all FortiGate admin and VPN credentials without delay and invalidate all active sessions. It is critical to audit configuration exports and review SSL-VPN and SSH login logs for anomalous access, particularly from Russian IP addresses or during unusual hours. Administrators should inspect Active Directory and SMB activity originating from VPN pools and scan for outbound SSH transfer patterns and bulk SMB share access.
Unknown or suspicious admin accounts, such as adminin, must be identified and removed. Multi-factor authentication (MFA) should be enabled and enforced on all FortiGate interfaces. Organizations must update to the latest FortiOS firmware (at least 7.2.11, 7.4.8, or 7.6.1) and ensure that all administrator accounts log in and change their passwords post-upgrade to enforce the use of PBKDF2 hashing. FortiCloud SSO should be disabled unless fully patched for CVE-2026-24858.
Continuous monitoring for indicators of compromise, such as repeated credential pairs, file artifacts (e.g., all_valid.txt, valid_*.txt, matched_targets*), and the presence of attacker tools (FortigateSniffer, forticheck, FortiProbe-fast), is essential. Network defenders should also monitor for unusual outbound traffic patterns and recursive file access on network shares.
References
- The Hacker News: FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
- Fortinet PSIRT Blog: Analysis of Reported Credential Compromise of FortiGate Devices
- SOCRadar Report (PDF)
- Cloud Security Alliance: FortiBleed Research Note
- Reddit: FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
- LinkedIn: FortiBleed Exposed
- Arctic Wolf Labs: FortiBleed Analysis
- CloudSEK: FortiBleed Toolchain
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, please contact us at info@rescana.com.
