Russian cyber actors have been identified as the culprits behind a significant security breach targeting FortiGate firewalls worldwide. Known as the FortiBleed campaign, this operation has jeopardized over 430,000 firewalls, as reported by SOCRadar.
Understanding the FortiBleed Campaign
The FortiBleed credential-harvesting campaign, which came to light last week, traces back to February. Initially thought to affect only Fortinet products, it has since been revealed as a broader multi-vendor attack. SOCRadar’s detailed analysis attributes the campaign to financially motivated cybercriminals operating through a complex credential and access harvesting operation.
According to SOCRadar, the attackers infiltrate exposed firewalls to capture authentication data, which they then sell. This campaign has affected over 80,000 identified targets, with more than 19,000 still under surveillance using a custom tool called FortigateSniffer.
Tools and Techniques of the Attackers
The investigation by SOCRadar has unveiled hundreds of servers and more than 650 credential-harvesting pipelines involved in the operation. It’s estimated that these efforts have compromised over 110 million credentials. The attackers use tools like Masscan and Shodan to identify vulnerable devices, which are then compromised through SSH brute-force attacks.
Once access is gained, network sniffers are deployed to capture credentials and password hashes, which are cracked and used for further infiltration into Active Directory domains and other network services. Sensitive data is exfiltrated, and stolen session cookies ensure persistent access to compromised systems.
Implications and Future Outlook
The FortiBleed campaign poses a significant threat, particularly because firewalls are crucial network security components. The campaign also impacts supply chains, targeting Managed Service Providers (MSPs) and IT firms managing Fortinet devices. The campaign predominantly targets small and medium-sized businesses across various sectors, with a notable focus on the United States and India.
SOCRadar has also discovered two major credential sources used by the attackers. One source aggregates data from previous breaches alongside purchased datasets, while the other is tailored specifically for FortiGate admin accounts. The campaign’s severity was highlighted on June 15 when Kerberos hashes were cracked, leading to the exfiltration of sensitive data from a NATO-aligned defense contractor.
The potential collaboration between the Russian-speaking initial access broker and state-sponsored groups raises concerns about future attacks. As the campaign evolves, organizations must enhance their cybersecurity measures to protect against such threats.
