A significant credential theft operation, dubbed FortiBleed, has targeted over 430,000 FortiGate firewalls globally. The operation, believed to be orchestrated by a financially-motivated, Russian-speaking initial access broker, has led to the harvesting of more than 110 million credentials since its inception in February 2026.
How the FortiBleed Operation Works
FortiBleed employs a variety of techniques to compromise FortiGate firewalls. The operation starts by identifying vulnerable systems using tools like Masscan and Shodan. Once located, attackers use a custom utility called FortiProbe-fast to filter these systems and categorize them by region.
Subsequently, the attackers breach these devices through credential stuffing and dictionary attacks, deploying a tool named “forticheck” that specifically targets administrative panels and SSL-VPN portals. Upon gaining access, they utilize a Golang-based tool, FortigateSniffer, to capture authentication traffic, exploiting the FortiOS diagnostic command for passive monitoring.
Targets and Tools
The campaign has focused primarily on Small and Medium Businesses (SMBs) with fewer than 200 employees, particularly in the United States and India. The IT services sector is notably at risk, providing potential pathways into customer environments through compromised service providers.
FortiBleed’s toolset includes the use of open-source platforms like CyberStrike and CyberStrikeAI, assisting in parts of the operation workflow. The campaign also employs automated brute-forcing, targeting a range of devices beyond Fortinet, including Synology NAS and Citrix SSL-VPNs.
Implications and Future Outlook
The operation involves executing up to 659 credential-harvesting pipelines, with attackers reportedly cracking password hashes using tools like Hashmat and Hashtopolis. A Telegram bot named HASHBOT orchestrates these efforts, facilitating lateral movement and Active Directory enumeration.
Reports indicate that the group ranks targets based on their economic value, allocating resources for exploitation accordingly. The operation is restricted to specific IP ranges and operates within defined time frames, indicating a highly organized attack structure.
The discovery of repeated username and password pairs across numerous IP addresses suggests the potential use of these credentials as backdoor entry points by the attackers. Furthermore, access to thousands of Fortinet devices has been advertised on cybercriminal forums, potentially linked to the FortiBleed breach.
The implications of this breach are profound, highlighting the necessity for enhanced cybersecurity measures and vigilant monitoring of network vulnerabilities. Organizations are advised to fortify their defenses and stay informed about evolving threats to mitigate potential risks.
