Ethical Hacking News
A recent cyber attack campaign known as FortiBleed has targeted over 430,000 Fortinet firewalls globally, resulting in the identification of over 110 million credentials. The operation involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. This campaign is part of a broader initial access operation that targets multiple sectors and regions, including small and medium-sized businesses.
FortiBleed is a sophisticated cyber attack campaign targeting over 430,000 Fortinet firewalls globally. The operation involves collecting credential lists, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. The primary objective is to capture cleartext and hashed credentials from traffic passing through compromised devices. A Golang-based tool called FortigateSniffer takes advantage of the FortiOS built-in diagnostic command to passively capture authentication traffic. Another open-source framework, CyberStrike, was used in connection with this campaign to assist with some parts of the workflow. The attackers focus on small and medium-sized businesses (SMBs) in various sectors and regions, including the United States and India. The operation is part of a broader initial access operation targeting multiple vendors' devices. Over 110 million credentials were harvested as part of the campaign. The FortiBleed campaign consists of five stages: reconnaissance, compromising devices, deploying FortigateSniffer, cracking password hashes, and lateral movement.
In a recent revelation, cybersecurity experts have identified a sophisticated cyber attack campaign known as FortiBleed that has been targeting over 430,000 Fortinet firewalls globally. The operation, which began in February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.
According to the threat actors behind this campaign, their primary objective is to capture cleartext and hashed credentials from traffic passing through compromised devices. The actors then crack, validate, and reuse these credentials against Active Directory domains and other exposed services. Central to this operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from infected appliances.
The FortigateSniffer tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials. It has been reported that another open-source framework called CyberStrike was put to use in connection with this campaign to assist with some parts of the workflow. Moreover, an AI-native offensive security platform dubbed CyberStrikeAI was utilized in conjunction with an automated mass scanning campaign targeting FortiGate devices exposed by Amazon Threat Intelligence earlier this year.
The threat actors' focus on small and medium-sized businesses (SMBs) is noteworthy, as they target multiple sectors and regions, including the United States and India. The IT services sector appears to be a key target, with the actor aiming to maximize downstream access by compromising service providers that can create entry points into customer environments.
It is also worth noting that FortiBleed is part of a broader, multi-vendor initial access operation aimed at not only targeting Fortinet devices but also breaching Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026.
The attackers launched no less than 659 credential-harvesting pipelines on May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and 89 million MySQL authentication tokens.
The FortiBleed campaign is divided into five stages: widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls; compromising the devices with a credential checker named "forticheck" that targets FortiGate's administrative panel and SSL-VPN portal, along with using tools to obtain administrative SSH access via credential stuffing and dictionary attacks.
Upon establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols. The password hashes are cracked using Hashmat and Hashtopolis, and orchestrated by a Telegram bot named HASHBOT, after which they are used for lateral movement and Active Directory enumeration. Sensitive data from network shares is exfiltrated while stolen session cookies are used to maintain persistent, authenticated access.
A notable aspect of this operation is the group's approach to targeting specific sectors and regions, as well as their focus on maximizing downstream access by compromising service providers that can create entry points into customer environments.
Furthermore, it has been reported that the FortiGate-related capture cycle commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month. The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute.
Related Information:
https://www.ethicalhackingnews.com/articles/FortiBleed-A-Sophisticated-Cyber-Attack-Campaign-Targeting-Fortinet-Firewalls-ehn.shtml
https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
Published: Tue Jun 23 15:51:33 2026 by llama3.2 3B Q4_K_M
