A massive cyber espionage operation, referred to as ‘FortiBleed’, has compromised over 73,932 unique Fortinet firewall URLs worldwide. This extensive attack spans 194 countries, illustrating the scale and reach of the operation. The breach was initially identified by security researcher Volodymyr ‘Bob’ Diachenko and further analyzed by Hudson Rock, revealing an industrial-scale targeting of FortiGate devices and SSL VPN gateways.
Details of the FortiBleed Campaign
The attackers executed approximately 1.16 billion credential-based attempts against more than 320,000 FortiGate targets. In addition, over 2.1 billion brute-force attempts were launched against 160,000 MSSQL servers, leading to the compromise of 21,632 unique domains. These attacks are attributed to a Russian-speaking cybercriminal group, employing sophisticated methods beyond simple credential stuffing.
The group systematically scanned the internet for exposed Fortinet instances, testing them against vast databases of historical credential leaks collected by infostealer malware. Once access was gained, attackers could infiltrate internal Active Directory environments, maintaining persistent network access despite standard security measures.
Technical Vectors and Global Impact
A key aspect of the campaign was the interception of SSL VPN authentication hashes, which were cracked offline using a powerful GPU cluster managed through Hashtopolis. This method exposed organizations’ encrypted credentials, allowing attackers to continuously harvest additional logins. The breach affected numerous sectors, including technology, manufacturing, professional services, telecommunications, and government entities worldwide.
Notably, organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey were compromised, including a Turkish NATO defense contractor from which classified documents were stolen. The attackers accumulated a database of credentials from major enterprises, highlighting the ineffectiveness of complex passwords when credentials are compromised at the endpoint level.
Mitigation Steps for Organizations
Given the severity of the FortiBleed campaign, organizations using Fortinet devices must take immediate action. It is crucial to reset all Fortinet VPN and admin passwords, regardless of their complexity, as they may have been compromised. Implementing Multi-Factor Authentication (MFA) across all external gateways is also essential in neutralizing stolen credentials.
Additionally, organizations should audit Fortinet access logs for any irregularities, such as unexpected login locations or unusual traffic volumes. Restricting management interface exposure to trusted internal IPs and disabling unnecessary FortiCloud SSO accounts is also recommended to enhance security.
The FortiBleed attack underscores the vulnerability of perimeter security, especially in an era where infostealer-harvested data is prevalent. Organizations must adopt robust security measures to protect against future threats and safeguard sensitive information.
