FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide

Researchers say threat actors harvested FortiGate credentials at scale, exposing organizations in 194 countries to potential long-term network compromise.

A massive credential-compromise campaign dubbed “Fortibleed” has been found to expose tens of thousands of Fortinet devices worldwide, with researchers warning of persistent attacker access to affected enterprise environments.

The campaign was first flagged by security researcher Volodymyr Diachenko, who posted on LinkedIn about finding an attacker-controlled list of potentially working FortiGate passwords collected “through various means.”

Further details came from SOCRadar after its team independently discovered an operational server, which belonged to an unnamed threat actor and contained a list of stolen FortiGate passwords, tools, automation infrastructure, victim list, and some telling information about who could be behind the attack.

“Attribution is ongoing, but the operational fingerprints are clear,” SOCRadar researchers said in a blog post, adding that the tooling and targeting choices are consistent with Russian-speaking threat actors.

According to independent analyses, including by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. The initial access vector is presently unknown.

CEO of watchTowr Benjamin Harris said the campaign is consistent with what he has been seeing lately. “The uncomfortable reality is that modern exploitation isn’t always about immediate impact,” he said. “It’s about harvesting data that retains value long after the underlying vulnerability has been patched.”

These credentials were likely accumulated over time by exploiting many vulnerabilities affecting sensitive, externally facing Fortinet applications, he added.

Fortinet did not immediately respond to CSO’s request for comments.

Cracked passwords, global reach

While SOCRadar initially reported that the dataset contained working login credentials for over 30,791 devices, further analysis by Beaumont, along with Hudson Rock, placed the affected devices at 75000, about 50% of the total internet-facing Fortinet firewalls found on Shodan.

Researchers found affected devices across 194 countries, spanning more than 21000 domains.

The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files. Researchers said the operation is highly automated, allowing threat actors to collect, process, and crack credential material at a very large scale.

SOCRadar found the top affected countries to be India, the US, and Mexico, with a little under 12000 compromised credentials between them. A credential-type breakdown revealed Organization-specific credentials to be most probed, indicating enterprise targeting.

Explaining the potential impact, Beaumont said the threat actors “can log in remotely and gain remote access to the firewall — and so the network.” They can also change settings, including security controls, and make backdoor users, he added.

Old Hashes, new problems

Additional investigation into the campaign highlighted why some Fortinet deployments proved easier to crack than others.

Researchers noted that many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password-cracking attacks than more recent implementations.

“Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,“ Arctic Wolf researchers explained in a blog post. “However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.”

This could be leading to many organizations continuing to store admin credentials using older SHA-256 with Salt hashing mechanisms, they noted.

Defenders told to assume credential exposure

Researchers urged organizations to assume that credentials contained in exposed FortiGate configuration files have been compromised and to immediately rotate affected administrative and VPN passwords.

Additional recommendations include enforcing multi-factor authentication (MFA), restricting internet access to management interfaces, and reviewing devices for signs of unauthorized access.

Upgrading to supported FortiOS versions and replacing weaker or reused passwords was also advised. “After upgrading FortiOS, require all administrators to log in to the firewall at least once: this will automatically set the encryption to PBKDF2,” the researchers said.

Admin passwords can also be manually updated by using a super_admin account, they noted.