TL;DR — The short, ridiculous version
Meet FortiBleed: a large-scale credential-harvesting hustle that hit hundreds of thousands of FortiGate firewalls and scooped up an eye-watering pile of logins. Think of it as a very rude stalker for network credentials — sniffing traffic, cracking hashes, and trying those logins everywhere else like it just discovered a cheat code.
The campaign favored small and medium-sized businesses, sliced through a variety of internet-facing appliances, and collected credentials in the tens of millions. Attackers ran automated pipelines, reused credentials for lateral access, and even added time-of-day and country filters so they didn’t wake up ops teams at 3 a.m. (how considerate… sort of).
How the campaign worked (stages, tools, and weirdness)
This wasn’t a single script kiddie on a caffeine bender — it was a fairly industrialized operation with multiple phases. The attackers combined big scans, credential stuffing, in-place sniffing using the firewall’s own debugging features, and automated cracking and reuse.
- Wide reconnaissance using mass-scanning tools to find internet-facing devices and then filtering targets by vendor and country.
- Credential stuffing and brute-force attacks against admin panels, SSL-VPNs, SSH, and other exposed logins to get an initial foothold.
- Once inside, the operator deployed a Go-based sniffer called FortigateSniffer that leverages FortiOS diagnostic commands to passively capture authentication traffic across many protocols (RADIUS, Kerberos, SMB, LDAP, RDP, MySQL, and more).
- Captured hashes and cleartext secrets were cracked with automated tooling, coordinated by bots and orchestration systems, then tested and reused for lateral movement and directory enumeration.
- Successful victims had sensitive shares plundered and valid session cookies reused to maintain access — in short, persistence and data theft.
Some operational quirks worth noting:
- Targets were ranked by perceived value (they didn’t waste time on worthless boxes).
- Operations were geofenced and time-limited (e.g., working hours in a particular timezone) to reduce detection risk.
- The campaign was multi-vendor: besides FortiGate, the actors also swept for NAS devices, other firewalls, remote access portals, and databases.
- Repeated username/password combinations across many IPs suggest some credentials may have been intentionally seeded as covert backdoors.
Credential haul highlights from the operation included:
- Approximately 110 million+ total credentials identified in the pipelines
- ~14.8 million RADIUS credentials
- ~924,000 NTLM hashes
- ~130,000 Kerberos hashes
- ~89 million MySQL authentication tokens
So what should you actually do?
If you run or manage internet-facing appliances, don’t panic but do act like you need new pants: fast and responsible.
- Patch and update FortiOS and any exposed appliance firmware immediately.
- Harden remote access: use strong, unique passwords, turn on MFA where possible, and rate-limit or block login attempts from suspicious sources.
- Inspect logs and look for unusual SSH/API activity, odd diagnostic command use, or evidence of sniffers and unknown scheduled jobs.
- Change credentials that might have leaked, especially ones used across multiple systems, and rotate service account passwords.
- Segment networks so a compromised appliance can’t easily turn into a pivot point to your AD or internal databases.
- Consider threat hunting for signs of credential reuse, newly created accounts, or exfiltration patterns; pay attention to repeated username/password pairs that crop up everywhere.
Finally, if you spot a sale or broker posting that claims access to appliances en masse, treat it as a signal to investigate — and maybe go have a celebratory coffee after you secure things. Cybercriminals love scale, but you can make their job much harder with basic hygiene and quick response.