TL;DR — The short, ridiculous version

Meet FortiBleed: a large-scale credential-harvesting hustle that hit hundreds of thousands of FortiGate firewalls and scooped up an eye-watering pile of logins. Think of it as a very rude stalker for network credentials — sniffing traffic, cracking hashes, and trying those logins everywhere else like it just discovered a cheat code.

The campaign favored small and medium-sized businesses, sliced through a variety of internet-facing appliances, and collected credentials in the tens of millions. Attackers ran automated pipelines, reused credentials for lateral access, and even added time-of-day and country filters so they didn’t wake up ops teams at 3 a.m. (how considerate… sort of).

How the campaign worked (stages, tools, and weirdness)

This wasn’t a single script kiddie on a caffeine bender — it was a fairly industrialized operation with multiple phases. The attackers combined big scans, credential stuffing, in-place sniffing using the firewall’s own debugging features, and automated cracking and reuse.

  1. Wide reconnaissance using mass-scanning tools to find internet-facing devices and then filtering targets by vendor and country.
  2. Credential stuffing and brute-force attacks against admin panels, SSL-VPNs, SSH, and other exposed logins to get an initial foothold.
  3. Once inside, the operator deployed a Go-based sniffer called FortigateSniffer that leverages FortiOS diagnostic commands to passively capture authentication traffic across many protocols (RADIUS, Kerberos, SMB, LDAP, RDP, MySQL, and more).
  4. Captured hashes and cleartext secrets were cracked with automated tooling, coordinated by bots and orchestration systems, then tested and reused for lateral movement and directory enumeration.
  5. Successful victims had sensitive shares plundered and valid session cookies reused to maintain access — in short, persistence and data theft.

Some operational quirks worth noting:

  • Targets were ranked by perceived value (they didn’t waste time on worthless boxes).
  • Operations were geofenced and time-limited (e.g., working hours in a particular timezone) to reduce detection risk.
  • The campaign was multi-vendor: besides FortiGate, the actors also swept for NAS devices, other firewalls, remote access portals, and databases.
  • Repeated username/password combinations across many IPs suggest some credentials may have been intentionally seeded as covert backdoors.

Credential haul highlights from the operation included:

  • Approximately 110 million+ total credentials identified in the pipelines
  • ~14.8 million RADIUS credentials
  • ~924,000 NTLM hashes
  • ~130,000 Kerberos hashes
  • ~89 million MySQL authentication tokens

So what should you actually do?

If you run or manage internet-facing appliances, don’t panic but do act like you need new pants: fast and responsible.

  • Patch and update FortiOS and any exposed appliance firmware immediately.
  • Harden remote access: use strong, unique passwords, turn on MFA where possible, and rate-limit or block login attempts from suspicious sources.
  • Inspect logs and look for unusual SSH/API activity, odd diagnostic command use, or evidence of sniffers and unknown scheduled jobs.
  • Change credentials that might have leaked, especially ones used across multiple systems, and rotate service account passwords.
  • Segment networks so a compromised appliance can’t easily turn into a pivot point to your AD or internal databases.
  • Consider threat hunting for signs of credential reuse, newly created accounts, or exfiltration patterns; pay attention to repeated username/password pairs that crop up everywhere.

Finally, if you spot a sale or broker posting that claims access to appliances en masse, treat it as a signal to investigate — and maybe go have a celebratory coffee after you secure things. Cybercriminals love scale, but you can make their job much harder with basic hygiene and quick response.