The cybersecurity landscape often feels like a never-ending game of whack-a-mole, but the recent discovery of the "FortiBleed" campaign should give even the most seasoned security engineers pause. What we're witnessing isn't just another routine vulnerability, but a broad, sophisticated weaponization of a critical piece of edge infrastructure: the FortiGate firewall.
At its heart, this campaign is a massive credential-harvesting effort, with over 430,000 FortiGate firewalls potentially compromised globally and more than 110 million credentials stolen. This is a monumental scale for an attack of this nature, and it demonstrates a level of strategic planning that goes beyond typical opportunistic threats. The attackers didn't just break in; they turned the very tool we trust to keep our perimeters secure into a passive, data-harvesting engine.
When we talk about the threat to our edge, we’re usually focused on the perimeter being breached. But with FortiBleed, the firewalls themselves—our core defensive assets—have been transformed into conduits for data exfiltration. It's a sobering reminder that any device on our network, no matter how security-focused, can be manipulated if the right, often built-in, levers are pulled.
This campaign has been active since at least February, quietly operating in the background, harvesting authentication traffic across 24 distinct protocols. It's not just a momentary breach; it's a persistent, well-oiled machine operating in the shadows of our organizations. Based on tool comments in Cyrillic, the trail points towards Russian threat actors, likely operating as initial access brokers (IABs). These groups don't always perform the final attack themselves, but their work provides the critical access and data that fuels the larger, much more damaging, ransomware and extortion campaigns we see in the wild later on.
The sheer volume of stolen credentials—RADIUS, NTLM, Kerberos—is what makes this particularly dangerous. It's not just a breach of a firewall's admin interface; it's a complete dismantling of an organization's identity security. Once those credentials leave the victim's network, they're often aggregated, repackaged, and sold in underground markets. This lowers the barrier to entry, allowing less sophisticated attackers to launch their own campaigns using stolen credentials that are, for all intents and purposes, legitimate keys to the kingdom.
It’s time we look at our edge devices, not just as static barriers, but as the prime targets they have clearly become. The FortiBleed campaign is a loud wake-up call that our defensive perimeter is more fragile than we'd like to admit. And if we don't start treating the compromise of a firewall as an immediate, full-scale breach of our entire identity foundation, we're destined to get hit by the next wave. Because let's face it: if the firewall is compromised, the rest of the network is already vulnerable. It's not a question of if the attackers get in, but how much damage they do before we even realize they're there. And in the case of FortiBleed, we're only just starting to scratch the surface of that damage.
The FortigateSniffer: A Masterclass in Abuse
The core of the FortiBleed campaign is a custom-engineered tool: 'FortigateSniffer'. This isn't your typical off-the-shelf malware; it's a Golang-based sniffer that highlights a dangerous trend—the exploitation of legitimate, built-in diagnostic tools to conduct large-scale, malicious operations.
'FortigateSniffer' is remarkably clever in its simplicity. Instead of deploying complex, potentially detectable custom malware, the attackers decided to abuse the legitimate '-diagnose sniffer packet' command within the FortiOS operating system. This is a command designed for network troubleshooting—a tool that network administrators, myself included, have used countless times to debug traffic flows, identify connectivity issues, and monitor network health.
But in the hands of these attackers, it becomes a powerful, passive credential-collection agent. The tool monitor traffic across 24 different authentication protocols, parses that traffic in real-time, and extracts sensitive authentication data. RADIUS credentials, NTLM hashes, Kerberos components—all of it is captured without the need to install anything that's inherently flagged by traditional Endpoint Detection and Response (EDR) agents, because the action itself is a legitimate diagnostic process.
That’s the brilliance—and the horror—of it. It’s "living off the land" at the firewall level.
Particularly concerning is that parts of this campaign's workflow may have been assisted by 'CyberStrike,' an autonomous, open-source penetration testing agent powered by AI. This integration suggests the attackers are constantly refining their tactics, using automated tools to scale their efforts and improve the efficiency of their reconnaissance and exploitation workflows. They aren't just sending manual commands; they're optimizing the attack cycle for maximum impact.
Once they've deployed the sniffer and established their collection pipeline, the extracted authentication traffic is processed. What they don't capture as cleartext is processed via a distributed GPU infrastructure to crack hashes, turning what might look like indecipherable noise into usable credentials, session cookies, and authentication tokens.
This is a stark reminder that 'malware' is an outdated term. We're facing 'attack tools' that, in many cases, are repurposed, legitimate capabilities of the very software we trust. It forces us as defenders to look at the diagnostic tools on our critical infrastructure – not just the endpoints—and ask yourself: who can run these diagnostics, how are they being used, and what does it look like in our logs when they're abused? Because if we aren't monitoring the diagnostic commands themselves, we're missing the attack as it happens in plain sight. It’s hard to detect a thief when they’re using the keys you handed them.
Unraveling the Five-Step Attack Chain
The FortiBleed threat isn't a single, isolated event; it's a highly structured campaign that follows a well-defined, five-step attack chain. Understanding this chain is crucial if we want to disrupt the pattern.
First, reconnaissance is the foundation. Attackers are constantly scanning the Internet—not just for any target, but specifically for exposed FortiGate firewalls and other edge services. They aren't shooting blindly. They enrich this data with public-facing information like company size, revenue, and sector, essentially 'value-ranking' their targets to decide where to focus their efforts. They're looking for the best bang for their buck.
Second, they gain access through credential-stuffing and brute-force attacks against administrative interfaces and SSH services. These devices are often left with weak or default passwords that are never rotated, despite repeated warnings. The fact that the attackers can find these vulnerable entry points so reliably just shows how much room for improvement we have in our basic hygiene.
Third, after they've established a foothold, the 'FortigateSniffer' tool is deployed. This is the crucial pivot point. They’re taking that foothold and using it to turn the firewall itself into a passive data collection point.
Fourth, they move to processing. The captured data is sent back to the attackers’ distributed GPU infrastructure, where hashes are cracked and valid credentials—session tokens, cleartext credentials, the works—are extracted. The speed at which they can turn captured traffic into usable access is frightening.
Finally, post-exploitation is the end goal. Stolen sessions are reused to gain entry into internal applications. Stolen credentials are used for password spraying and Active Directory enumeration. They're moving laterally, searching for sensitive files on network shares. At this point, the firewall has served its purpose, and the attack has moved deep into the heart of the victim’s network. Some of these compromised environments are later hit with follow-on ransomware or data extortion, while other access points may simply be sold to the highest bidder on underground forums.
It's a complete, start-to-finish operations model. They aren't just breaking in to break in; they're breaking in to build a business. They’ve turned credential harvesting into a scalable, repeatable product. If you're looking for the 'why' behind the surge in large-scale credential breaches, this attack chain is arguably one of the most efficient models I've seen in a long time. It’s not just tech; it's industrial-scale data theft.
Victimology: Why SMBs and IT Services Matter
One of the most revealing aspects of the FortiBleed campaign is its deliberate target profile. While it has impacted organizations in nearly 200 countries—a truly global scope—the primary targets are small to medium-sized businesses (SMBs) with fewer than 200 employees, particularly in the US and India.
Why focus on smaller organizations? It’s simple: resource limitations. SMBs rarely have the same depth of security expertise or infrastructure-monitoring capabilities as large enterprises. They're often running services that are exposed to the Internet, and they may not have implemented the robust, multi-layered security controls needed to spot the subtle, passive monitoring that 'FortigateSniffer' performs.
However, the threat doesn't stop with SMBs. The researchers now believe a significant portion of the targeted sector is 'IT services'. This is a strategic choice, designed to maximize downstream access. When you compromise an IT service provider, you aren't just hitting one target; you're potentially gaining access to the networks of dozens, or even hundreds, of their clients. It's a force multiplier for the attacker, turning a single breach into a high-value entry point. They’re effectively outsourcing their reconnaissance and target acquisition to the very companies that are supposed to be protecting their clients. It’s a cynical, calculated strategy that shows just how dangerous these attackers really are.
This victimology tells us that this isn't just about targeting high-value defense contractors or government agencies. It's about attacking the soft underbelly of the digital supply chain. If you’re a managed service provider (MSP) or an IT shop serving SMBs, you need to know: you are on their radar. And for SMBs themselves, it’s a wake-up call to start auditing exactly who has access to your infrastructure, and what that access allows them to do. You might not believe you're a high-value target, but to an attacker looking for an easy, high-leverage entry point, you’re exactly what they’re looking for.
The Hidden Aftershock of Credential Theft
It's tempting to think that once the immediate threat is gone—once the firewall is patched or the sniffer removed—the danger has passed. But that’s a dangerous misconception, and Gene Moody, field CTO at Action1, hit the nail on the head when he called these datasets 'an active risk condition with as much potential for damage as the original vector.'
We need to treat those 110 million stolen credentials as still active. Even if the firewall is secured, the credentials that were stolen remain in the hands of the attackers. They're being reused, sold, and incorporated into new attack vectors long after the initial compromise was technically 'resolved'. Many organizations assume they’ve survived the initial event, only to find themselves reeling from the predictable aftershock months later.
This is the nature of credential reuse: it's impersonation. When an attacker is using stolen credentials, their activity might look entirely legitimate at a glance. They aren't triggering traditional malware alerts because they're logging in with a username and password that belongs to a user. It’s only when you start looking at the context of that activity—atypical login times, logins from unusual locations, access to systems the user doesn't normally visit—that you start to see the cracks in their disguise.
Think of it this way: the initial compromise is just the catalyst. The real damage often happens in the aftershock, when those stolen credentials are used to bypass the very authentication gates we set up, leading to lateral movement, privileged escalation, and the ultimate goal of data extortion. If you don't treat every stolen credential as a live, active threat, you're not managing the risk; you're just waiting for the next catastrophe. It's a sobering, but essential, shift in perspective. Managing the fallout is often more critical than stopping the initial breach itself.
Fortifying Your Environment Against FortiBleed
If the FortiBleed campaign has taught us anything, it's that static security measures aren't enough when attackers are adapting their tactics in real-time. We have to be just as agile. While the situation is critical, there are definitive steps you can take to harden your environments and mitigate the risk.
First and foremost: rotate all credentials. And I don’t just mean the admin passwords. We're talking about every single credential tied to VPNs, administrative interfaces, and service accounts. Assume anything that was accessible from the firewall has been compromised. It’s painful, it’s labor-intensive, but it’s the only way to be sure you've neutralized the threat.
Second, enforce multifactor authentication (MFA) everywhere. It is, without a doubt, the most effective barrier against credential reuse. If an attacker has your password but doesn't have your MFA token, the utility of that stolen credential is dramatically reduced. It's not a silver bullet, but it's an essential layer.
Third, remove management interfaces from direct Internet exposure. This should be a given, but it clearly isn't. If your firewall’s management interface is accessible from the public Internet, you're inviting disaster. Use a secure, non-public jump box, VPN, or alternative access control method to manage these devices.
Fourth, audit your logs. You need to be looking for suspicious activity across your gateway and authentication systems. Are you seeing connections from unusual sources? Are you noticing diagnostic commands being run? These are the indicators of compromise, and you need to be actively monitoring for them.
Finally, utilize the resources provided by the community. SOCRadar has provided a comprehensive list of IoCs and even a tool that can help you test if your organization has been compromised by FortiBleed. You don't have to navigate this threat alone.
This isn't an overnight fix; it's a structural change in how we secure our edge. The FortiBleed campaign won't be the last time our own diagnostics are turned against us. It's time to stop trusting the perimeter, start questioning our diagnostic infrastructure, and build the kind of multi-layered security that assumes the worst-case scenario. Because as this campaign shows, the worst-case scenario is exactly what we're facing. Rotate those credentials, enforce MFA, and stay vigilant. The aftershock is coming, but we don't have to be caught in it unprepared.