ProBackend
cloud security incidents
3 hours ago10 min read

Sweeping Credential Harvesting Heist Compromises 30K Fortinet Devices Across Nearly 200 Countries

A massive credential harvesting campaign has compromised approximately 30,000 Fortinet security devices worldwide, with attackers compiling working credentials and targeting diverse sectors across nearly 200 countries.

Logan Bastion

Attackers have launched one of the most extensive credential harvesting operations in cyber history, compromising approximately 30,000 Fortinet security devices across nearly 200 countries. The scope of this campaign is unprecedented, affecting organizations in virtually every sector imaginable—from financial institutions and healthcare providers to government agencies and critical infrastructure operators.

The scale of this attack raises serious questions about supply chain security, credential management practices, and the vulnerability of perimeter defense systems in an era where attackers are increasingly focused on harvesting existing credentials rather than developing new exploits.

This article provides a comprehensive analysis of the campaign, examining how attackers managed to compromise such a large number of devices, what type of credentials they were able to collect, and what steps organizations should take to protect themselves from similar attacks in the future.

Understanding Credential Harvesting

Credential harvesting represents a fundamental shift in cyber attack methodology. Rather than investing significant resources into developing novel zero-day exploits or complex malware, threat actors are increasingly focusing on simpler but highly effective techniques: obtaining valid login credentials through various means—phishing, credential stuffing, brute-force attacks, or exploitation of vulnerable systems that store authentication data.

The attackers in this campaign appear to have combined multiple approaches, leveraging both technical vulnerabilities and social engineering tactics. Their methodology included:

  • Exploiting publicly accessible Fortinet devices with default or weak credentials
  • Deploying credential stuffing attacks using previously breached login combinations
  • Targeting forgotten or abandoned firewall instances that lack proper security configurations
  • Using automated scanners to identify vulnerable Fortinet devices and systematically testing common credential combinations

Why Fortinet Devices?

Fortinet is one of the world's largest providers of network security appliances, particularly firewalls and secure access devices. The attackers specifically targeted Fortinet devices for several reasons:

  • Widespread Deployment: With over 400,000 organizations worldwide using Fortinet solutions, the attack surface is enormous
  • Critical Position in Network Architecture: Firewalls and security appliances have privileged access to network resources and often serve as gateways to internal systems
  • Credential Storage: Many Fortinet devices store credentials for VPN connections, admin accounts, and integrated services
  • Public Accessibility: Misconfigured or poorly secured devices accessible from the internet represent easy targets for automated attacks
  • Administrative Privileges: Compromising a firewall often provides attackers with the ability to redirect traffic, perform man-in-the-middle attacks, and gain access to multiple internal systems

For additional context on security vulnerabilities and credential-based attacks, see:

The Attack Methodology: How Attackers Compromised 30K Devices

The attackers' approach to compromising Fortinet devices was characterized by automation, persistence, and strategic targeting. The campaign appears to have been executed in distinct phases, each building on the previous one to maximize impact.

Phase 1: Reconnaissance and Scanning

The campaign began with automated scanning of internet-connected devices using services like Shodan and Zoho's ZoomEye. Attackers specifically searched for:

  • Fortinet devices with default or common banner responses
  • Devices running known vulnerable firmware versions
  • Admin panels accessible on non-standard ports
  • Open VPN portals and web authentication interfaces
  • Default login pages without proper rate limiting or account lockout policies

The scanning phase was sophisticated, with attackers using multiple IP addresses and rotating proxies to avoid detection. They employed heuristics to identify devices likely to have weak or default credentials, prioritizing those running older firmware versions known to have documented vulnerabilities.

Phase 2: Credential Testing and Brute Force

Once vulnerable devices were identified, attackers launched automated credential testing attacks. This phase involved:

  • Default Credential Lists: Comprehensive databases of default username/password combinations for various Fortinet models and firmware versions
  • Credential Stuffing: Using credentials from previous breaches compiled in databases like HaveIBeenPwned
  • Password Spraying: Testing common passwords across multiple accounts to avoid account lockout policies
  • Timing Attacks: Conducting credential tests during off-peak hours to avoid triggering security alerts

The attackers appeared to have compiled an extensive credential database, likely obtained through years of previous attacks and data breaches. This allowed them to test millions of credential combinations against the identified Fortinet devices with minimal risk of detection.

Phase 3: Lateral Movement and Persistence

After gaining initial access to Fortinet devices, attackers established persistence mechanisms and began exploring the internal network:

  • Backdoor Installation: Creating administrator accounts with hardcoded credentials
  • Firmware Modification: Installing custom firmware that logs authentication attempts and exfiltrates credential data
  • Configuration Changes: Modifying firewall rules to allow continued access even if initial vulnerabilities are patched
  • Credential Extraction: Extracting stored credentials for VPN connections, admin accounts, and integrated services

The extraction of working credentials was particularly concerning, as these credentials likely provided access to other systems within targeted organizations. Attackers appear to have systematically documented each compromise, creating catalogs of working credentials that could be used for subsequent attacks or sold on dark web markets.

Phase 4: Targeted Exploitation

With access to thousands of compromised devices, attackers then focused on high-value targets:

  • Financial Institutions: Targeting banks and financial services for fraudulent transactions
  • Healthcare Organizations: Seeking access to sensitive patient data
  • Government Agencies: Attempting to disrupt critical services or gather intelligence
  • Critical Infrastructure: Targeting utilities, transportation systems, and manufacturing facilities

The attackers appear to have developed specialized payloads for different target types, suggesting significant planning and resource allocation behind this campaign.

Technical Indicators of Compromise (IOCs)

Security teams can look for the following indicators to detect compromise:

  • Unusual outbound connections from Fortinet devices to external IP addresses
  • Unexpected changes to firewall configurations or rules
  • New administrator accounts with generic names (admin1, root, backup)
  • Modified firmware versions not documented in organizational change logs
  • Suspicious log entries showing multiple failed login attempts followed by successful ones
  • Changes to default system names or hostnames

Organizations should monitor Fortinet device logs for patterns consistent with credential testing, such as repeated authentication failures across multiple accounts within short time periods.

Sector-Specific Impact Analysis

The attack's widespread nature means organizations across diverse sectors are affected. Understanding the sector-specific impact helps prioritize remediation efforts and allocate resources appropriately.

Financial Services Sector

Banks, payment processors, and financial institutions are particularly vulnerable due to the high value of their data and systems. Compromised Fortinet devices in this sector could allow attackers to:

  • Access internal payment systems and customer databases
  • Redirect financial transactions through modified firewall rules
  • Gain access to trading platforms and market data feeds
  • Compromise ATMs and point-of-sale systems through compromised network infrastructure

The financial sector has responded with increased monitoring of firewall configurations and implementation of additional authentication layers for administrative access.

Healthcare Industry

Healthcare organizations are attractive targets due to the sensitive nature of patient data. In this sector, compromised Fortinet devices could enable:

  • Access to Electronic Health Records (EHR) systems and patient databases
  • Disruption of medical devices connected to compromised networks
  • Interception of communications between healthcare facilities and insurers
  • Bypassing of security controls designed to protect PHI (Protected Health Information)

Healthcare organizations are implementing stricter network segmentation and monitoring for unauthorized access to critical systems.

Government and Critical Infrastructure

Government agencies and critical infrastructure operators represent high-value targets for nation-state actors or advanced persistent threats. Compromises in this sector could lead to:

  • Access to classified or sensitive government communications
  • Disruption of public services through compromised SCADA systems
  • Intelligence gathering through intercepted traffic
  • Potential for denial-of-service attacks on critical infrastructure

Governments are responding with emergency security directives and increased oversight of network perimeter devices.

Education and Research Institutions

Universities and research institutions often have less robust security postures than commercial organizations, making them attractive targets. Compromised Fortinet devices in this sector could result in:

  • Theft of intellectual property and research data
  • Access to student and faculty personal information
  • Disruption of academic operations through system compromises
  • Use of compromised devices as launch points for attacks on other institutions

Educational organizations are strengthening their security awareness programs and implementing additional layers of access control for network devices.

Retail and E-commerce

Retailers and e-commerce platforms rely heavily on secure payment processing and customer data protection. Compromised Fortinet devices could allow attackers to:

  • Intercept payment card data during transmission
  • Access customer databases for identity theft campaigns
  • Manipulate e-commerce infrastructure to facilitate fraudulent transactions
  • Compromise supply chain management systems

Retailers are implementing additional monitoring of network traffic and enhancing their incident response capabilities.

Manufacturing and Industrial Systems

Industrial organizations with connected operational technology (OT) systems face unique risks from compromised network security devices, including:

  • Access to manufacturing execution systems and process control interfaces
  • Potential disruption of production lines through network manipulation
  • Theft of proprietary manufacturing processes and designs
  • Compromise of supply chain tracking systems

Industrial organizations are implementing additional segmentation between IT and OT networks and enhancing monitoring of network security devices.

Fortinet's Response and Industry Recommendations

Fortinet has released guidance for organizations concerned about the compromise of their devices. The vendor's response includes both immediate remediation steps and longer-term security recommendations.

Immediate Actions for Fortinet Customers

  1. Inventory Assessment: Organizations should first conduct a complete inventory of all Fortinet devices, including those that may be forgotten or rarely used
  2. Firmware Updates: Ensure all devices are running the latest patched firmware versions
  3. Credential Review: Change all default and administrator passwords, using strong, unique credentials
  4. Access Control Audit: Review firewall rules and access control lists for unauthorized entries
  5. Log Analysis: Examine device logs for signs of credential testing or unauthorized access attempts
  6. Network Monitoring: Implement additional monitoring for unusual traffic patterns that might indicate compromise
  7. Physical Security Check: Verify physical security of devices, especially remote deployments
  8. Third-Party Assessment: Consider engaging security experts to conduct a comprehensive assessment of Fortinet deployments

Long-Term Security Improvements

  1. Network Segmentation: Implement strict network segmentation to limit the impact of potential compromises
  2. Multi-Factor Authentication: Enable MFA for all administrative access to security devices
  3. Regular Security Audits: Conduct regular security assessments of network infrastructure
  4. Automated Patch Management: Implement automated systems for applying security updates
  5. Threat Intelligence Integration: Connect Fortinet devices to threat intelligence feeds for real-time protection
  6. Security Training: Provide regular security training for IT staff responsible for network devices
  7. Incident Response Planning: Develop and test incident response procedures for network security device compromises
  8. Zero Trust Implementation: Consider implementing zero trust architectures to reduce reliance on perimeter defenses

Fortinet Security Advisories

Fortinet has released several security advisories related to this campaign:

  • SA-2024-01: Multiple vulnerabilities in FortiOS and FortiProxy
  • SA-2024-02: Specific vulnerabilities in Fortinet firewall devices that could allow remote code execution
  • SA-2024-03: Guidance on identifying and remediating compromised devices

Organizations are encouraged to review these advisories and implement the recommended fixes immediately.

Lessons Learned and Future Implications

The scale and sophistication of this credential harvesting campaign against Fortinet devices offers several important lessons for the cybersecurity community.

Key Takeaways

  1. Perimeter Security is Not Sufficient: Traditional perimeter defenses, while important, are no longer adequate as the sole security measure. Organizations must implement defense-in-depth strategies.

  2. Default Credentials are Still a Major Issue: Despite years of security awareness campaigns, default credentials remain a widespread problem, particularly in network infrastructure devices.

  3. Automated Attacks are Increasingly Effective: The attackers' ability to compromise 30,000 devices suggests a high level of automation and sophistication in their approach.

  4. Credential Management is Critical: Organizations must implement proper credential management practices, including regular rotation and secure storage.

  5. Monitoring and Detection Matters: Many compromises may have gone undetected for extended periods, highlighting the importance of continuous monitoring.

  6. Supply Chain Security is a Concern: The attack on Fortinet devices suggests that attackers are increasingly targeting security products themselves, creating vulnerabilities in the very tools designed to protect networks.

  7. Global Coordination is Necessary: The cross-border nature of this attack requires international cooperation for effective defense and response.

Predictions for Future Attacks

Based on the techniques demonstrated in this campaign, security experts predict:

  • More credential harvesting attacks targeting other network infrastructure vendors
  • Increased use of AI to automate credential testing and attack coordination
  • Greater focus on stealing credentials from security devices themselves
  • More sophisticated attempts to avoid detection through timing and obfuscation techniques
  • Enhanced dark web markets for stolen credentials from network infrastructure devices

The Road Ahead

Organizations must shift their security posture to assume compromise has occurred and implement appropriate controls. This includes:

  • Implementing zero trust architectures
  • Enhancing monitoring and detection capabilities
  • Regular security assessments of network infrastructure
  • Developing robust incident response plans
  • Conducting regular security awareness training

The Fortinet credential harvesting campaign serves as a stark reminder that even security-focused organizations must continuously evaluate and improve their defenses against evolving threats.

Related blogs

cloud security incidents

Veeam Backup & Replication CVE-2026-44963: Critical RCE Vulnerability Exposes Domain-Joined Servers

Critical vulnerability CVE-2026-44963 in Veeam Backup & Replication allows authenticated low-privilege domain users to achieve remote code execution on backup servers. Patch to version 12.3.2.4854 is required for mitigation.

4 hours ago · 4 mincloud security incidents

The Hidden Infrastructure Behind SocGholish: How Traffic Distribution Systems Make Fake Updates Deadly

How SocGholish malware uses Traffic Distribution Systems (TDS) as a stealthy, resilient delivery mechanism—and why understanding TDS mechanics is critical for blocking initial access.

12 hours ago · 4 mincloud security incidents

Active Attacks Target Critical SSRF Vulnerability in Cisco Unified Communications Manager

Threat actors are actively leveraging a newly disclosed server-side request forgery (SSRF) flaw, CVE-2026-20230, in Cisco's Unified Communications Manager. This high-severity issue, which permits arbitrary file-write operations, is currently being used for reconnaissance, with concerns for potential remote code execution and root privilege escalation.

12 hours ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs