FortiBleed campaign steals 110M credentials from FortiGate targets

A new report on the ongoing FortiBleed attack campaign targeting Fortinet FortiGate network appliances, published by SOCRadar on Monday, revealed that more than 110 million credentials for various services have been stolen using an array of automated tools.

The FortiBleed campaign was first identified last week when security researcher Volodymyr “Bob” Diachenko discovered the attacker’s exposed directory. Researchers at SOCRadar subsequently investigated the attacker’s infrastructure, identifying verified credentials for more than 86,644 FortiGate firewall devices and coining the name "FortiBleed."  

In the latest report, SOCRadar disclosed the full scope of the widespread attack, including a vast array of tools used by the attacker in a five-phase attack chain of reconnaissance, initial access, network sniffing, password cracking and lateral movement, and the final exfiltration of stolen information.

The report said the campaign has been ongoing since at least February 2026 and is still active, with more than 19,000 FortiGate devices still being actively monitored by the attackers. While a conclusive attribution has not been made, use of the Cyrillic alphabet suggests a potential Russian-speaking threat actor that SOCRadar believed is likely operating as an initial access broker.

Credential stuffing operation compromises thousands of FortiGate appliances

The attacker gains initial access to FortiGate devices not through a vulnerability, but through credential stuffing using 16 dictionaries based on naming conventions associated with FortiGate administrative accounts. Targets are discovered through mass scanning of exposed devices using tools such as Masscan and Shodan_Recon, while a tool called FortiProbe-fast allows the attackers to confirm which targets are actually active FortiGate devices.

Additional fingerprinting and triaging of potential targets is performed to prioritize high-revenue organizations, with RDNS-Scan and GeoSplit used to pair target IP addresses with domain names and countries, respectively, and custom tools called match_corps.py, merge_revenue.py and build_report.py used to sort confirmed targets by income.

Related reading:

To facilitate automated credential stuffing, a tool called gen_rotator is used to pair confirmed targets with credential dictionaries and passes its output to a tool called FortiGate Credential Checker, or forticheck. Forticheck then performs authentication attempts against FortiGate admin panels and SSL-VPN portals, operating across up to 25,000 threads, while another tool, mpbrute2.bin uses the credential dictionaries to directly target administrative SSH access with brute forcing attempts.

‘FortigateSniffer’ monitors traffic, harvests credentials for cracking and reuse

SOCRadar found that valid SSH credentials identified by mpbrute2 attempts are subsequently used to deploy a Go-based tool called FortigateSniffer, or FGSniffer, to continuously capture authentication traffic from all networks behind the compromised firewall, across 24 protocols. This tool abuses a diagnostic command build into FortiOS — “diagnose sniffer packet” — and does not require malware to be installed on the device.

The researchers found FortigateSniffer loads a list of 237,330 working FortiGate SSH credentials as well as 6,127 devices, with about a 90% SSH validation success rate. After a successful SSH login it continuously captures authentication traffic using “diagnose sniffer packet,” converts the raw SSH terminal output, timestamps and hexadecimal packet bytes into .pcapng file using the “SNIFTRAN” engine, and uses a Python script called “PCAP Deep Analysis Toolkit” to parse the .pcapng and extract files and credentials for specific services.

Targeted information includes NTLM hashes, Kerberos tickets, RADIUS passwords, LDAP, FTP, SMTP, IMAP, POP3, MySQL, MSSQL, SNMP and Telnet credentials, and more. The tool uses a GeoIP filter to restrict sniffing to specific IP ranges and only operates between typical business hours to help it evade detection.

Once the PCAP Deep Analysis Toolkit is done parsing credentials, it creates a “CyberStrike Harvest Summary,” which suggests the use of the open-source, AI-powered penetration testing agent is used to assist some of the threat actor’s automated workflows. It outputs cleartext credentials and user lists of Active Directory users as well as Hashcat-ready files for credential hashes.

A cluster of GPUs, including at least some rented from vast.ai, is used for password cracking of collected hashes, leveraging the publicly available Hashcat utility and open-source Hashtopolis platform to manage Hashcat workloads. A Python script with a Telegram-based user interface is used to orchestrate Hashcat jobs, allocating up to six GPUs per job.

A suite of Python-based credential validation tools are used to identify working Server Message Block (SMB) and Kerberos credentials and enumerate Active Directory identities, allowing the extracted credentials to be used for further lateral movement.

In the final phase, the attacker uses additional custom tools to extract files from compromised SMB servers, replay HTTP session cookies captured by FortigateSniffer to access corporate web applications, and deploy interactive remote shells leveraging SSH credentials obtained by mpbrute2 and other phases of the attack. SOCRadar observed these collection and exfiltration operations not on a mass scale, but in a select handful of cases, including in an attack targeting a NATO-aligned defense contractor.

Strong passwords, MFA, restricted management access advised for FortiBleed response

SOCRadar found that the majority of FortiBleed victims were small- and medium-sized businesses with fewer than 500 employees and with annual revenues below $100 million. The top affected countries were India and the United States, with information technology (IT) services being the sector most heavily targeted in FortiBleed attacks.

Fortinet released an advisory on June 19, which noted that the attacks relied on brute-forcing techniques against exposed devices with weak password hygiene and without multi-factor authentication (MFA) enabled. The post advised customers affected by FortiBleed to terminate all admin and VPN sessions, reset credentials, implement MFA and review their firewall and VPN configurations for unauthorized changes. It also recommended upgrading to the latest FortiGate versions, enforcing strong password policies, and restricting external management of devices to trusted hosts or remove internet administration completely when possible.

The Cybersecurity and Infrastructure Security Agency (CISA) also released a FortiBleed alert, last updated on June 22, that echoes Fortinet’s recommendations, including reviewing of logs for suspicious logins, accounts and lateral movement.

SOCRadar emphasized that attacks are ongoing and also offers a free “FortiBleed Check” tool for organizations to determine whether their credentials appear in the known breach dataset.