FortiBleed: Massive Attack Compromises Fortinet Firewalls

An extensive cyber espionage campaign, dubbed “FortiBleed,” has covertly compromised over 73,932 unique Fortinet firewall URLs across 194 countries.

Originally uncovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed by Hudson Rock, this dataset reveals a highly automated, industrial-scale operation targeting FortiGate devices and SSL VPN gateways on an unprecedented global scale.

Threat actors executed an estimated 1.16 billion credential-based attempts against over 320,000 FortiGate targets, while simultaneously launching an additional 2.1 billion brute-force attempts against more than 160,000 MSSQL servers, resulting in 21,632 unique compromised domains.

This campaign is attributed to a multi-operator, Russian-speaking cybercriminal group whose methodology goes well beyond simple credential stuffing.

The group systematically swept the internet for exposed Fortinet instances, testing them against vast repositories of historical credential leaks harvested by infostealer malware.

Once an initial foothold is established, attackers pivot directly into internal Active Directory environments, enabling deep, persistent network access that survives routine security checks.

One of the campaign’s most alarming technical vectors is the active interception of SSL VPN authentication hashes, which are subsequently cracked offline using a dedicated 45-GPU cluster managed via Hashtopolis.

This means even organizations that believe their encrypted credentials are safe are actively exposed. Once the perimeter is breached, operators monitor traversing traffic to harvest additional logins, creating a self-reinforcing cycle of unauthorized access.

The scope of confirmed victims touches virtually every sector of the global economy. Diachenko’s research confirmed full network compromises at organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey, most critically, including a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated.

The attackers’ verified credential database includes some of the largest enterprises on the planet:

• Technology & Manufacturing: Foxconn, Samsung, Siemens, Lenovo, Oracle
• Professional Services: PwC, Accenture
• Telecommunications: Comcast
• and thousands of government entities and critical infrastructure providers

Perhaps the most sobering takeaway from this dataset is that password complexity offered zero protection. A significant volume of highly complex, 20-character passwords was successfully compromised not by cracking them from scratch, but because they already existed in plaintext within previously harvested infostealer databases.

When credentials are stolen at the endpoint level before encryption is applied, no amount of complexity saves them. This fundamentally undermines the “strong password” policy as a perimeter defense strategy.

Hudson Rock launched a specialized online portal designed specifically for organizations to easily verify whether their domains are included in the database.

Mitigation Steps

Organizations running Fortinet devices must treat this as a critical, active threat and act immediately:

• Force Credential Rotation: Reset all Fortinet VPN and admin interface passwords without delay; complexity is irrelevant if credentials have already leaked.
• Enforce Universal MFA: Apply Multi-Factor Authentication across all external gateways to neutralize stolen plaintext credentials.
• Audit Gateway Logs: Review Fortinet access logs for anomalous login locations, unexpected admin sessions, or unusual traffic volumes.
• Restrict Management Interface Exposure: Apply local-in policies to restrict admin panel access to trusted internal IPs only, and disable FortiCloud SSO if not essential.

The FortiBleed campaign is a stark reminder that perimeter security is only as strong as the credentials protecting it, and in a world saturated with infostealer-harvested data, the perimeter has never been more fragile.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.