A sophisticated and financially motivated Russian-speaking initial access broker (IAB) has been identified as the architect behind “FortiBleed,” a massive credential-harvesting campaign that has compromised over 430,000 FortiGate firewalls globally. Active since February 2026, this operation has meticulously collected an astonishing 110 million credentials, posing a significant threat to businesses worldwide.
Unveiling FortiBleed’s Tactics: The FortigateSniffer at Play
The FortiBleed campaign is a masterclass in persistent and targeted cyber espionage. Its core strategy involves a multi-pronged approach: compiling credential lists, identifying exposed services, brute-forcing accessible systems, and deploying custom-built sniffers on compromised FortiGate firewalls.
The Heart of the Operation: FortigateSniffer
At the center of this intricate web is a Golang-based tool named FortigateSniffer. This bespoke utility leverages the FortiOS built-in diagnostic command, diagnose sniffer packet, to surreptitiously capture authentication traffic. Once deployed, these sniffers become silent sentinels, capturing both cleartext and hashed credentials as they traverse the infected devices. SOCRadar’s recent report highlights the chilling efficiency: “Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices. The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.”
The FortigateSniffer is designed for broad surveillance, monitoring traffic across 24 different protocols, meticulously parsing authentication data, and extracting valuable credentials. Intriguingly, there’s speculation that the threat actors may have utilized an open-source, AI-native offensive security platform called CyberStrike to streamline certain aspects of their workflow. This isn’t an isolated incident, as another similar framework, CyberStrikeAI, was linked to a separate mass scanning campaign targeting FortiGate devices earlier this year, as revealed by Amazon Threat Intelligence.
Who’s in the Crosshairs? SMBs and Key Sectors Targeted
The FortiBleed campaign exhibits a clear strategic focus. SOCRadar’s analysis indicates a heavy emphasis on Small and Medium Businesses (SMBs) with fewer than 200 employees. The actors cast a wide net across various sectors and regions, with a pronounced focus on the United States and India. The IT services sector, in particular, appears to be a prime target. This strategic choice is likely driven by the desire to maximize “downstream access,” as compromising service providers can unlock pathways into numerous customer environments.
Beyond FortiGate: A Broader Initial Access Operation
Perhaps the most alarming revelation is that FortiBleed is not an isolated incident but rather a component of a much larger, multi-vendor initial access operation. This expansive campaign, active since February 28, 2026, extends its reach beyond Fortinet devices to include Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers, all subjected to automated brute-forcing attacks.
The sheer scale of the operation is staggering. Attackers are estimated to have launched at least 659 credential-harvesting pipelines on May 31 and June 15, 2026, culminating in the identification of over 110 million credentials. This massive haul includes:
- 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
The Five Stages of FortiBleed: A Detailed Breakdown
The FortiBleed campaign unfolds in a meticulously planned five-stage process:
- Reconnaissance and Filtering: The operation begins with widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls. This is followed by the use of custom utilities, FortiProbe-fast and GeoSplit, to filter FortiGate systems and categorize them by country.
- Initial Compromise: Devices are then targeted with “forticheck,” a credential checker specifically designed for FortiGate’s administrative panel and SSL-VPN portal. Administrative SSH access is subsequently gained through credential stuffing and dictionary attacks.
- Credential Harvesting: Once SSH access is established, the FortigateSniffer is deployed. It passively intercepts authentication traffic across 24 protocols, including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS, utilizing native FortiOS diagnostic commands. This enables the harvesting of cleartext credentials and password hashes.
- Hash Cracking and Lateral Movement: The harvested password hashes are then subjected to cracking using tools like Hashmat and Hashtopolis, with the entire process orchestrated by a Telegram bot named HASHBOT. Once cracked, these credentials are used for lateral movement within compromised networks and Active Directory enumeration.
- Data Exfiltration and Persistence:
The final stages involve exfiltrating sensitive data from network shares. Stolen session cookies are also leveraged to maintain persistent, authenticated access, ensuring long-term control over the compromised environments.
Sophistication and Scale: Geofencing and Relentless Cycles
The attackers demonstrate a high degree of sophistication, even ranking targets based on “economic value” before allocating exploitation resources. The sniffing mechanism incorporates a geofencing filter, restricting operations to specific IP ranges and limiting activity to between 7 a.m. and 6 p.m. Moscow Time, suggesting a well-structured and disciplined approach.
SpyCloud data reveals that the FortiGate-related capture cycle commenced on May 19, 2026, with the hash cracking infrastructure established shortly thereafter. Zenox, a Brazilian cybersecurity company, further detailed the operational rhythm: “The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute. In each cycle it loads a regional target list […] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%.” The discovery of repeated username and password pairs across thousands of distinct IP addresses also raises concerns about potential account planting by the threat actors.
The FortiBleed campaign underscores the critical importance of robust cybersecurity measures, multi-factor authentication, and continuous monitoring, particularly for organizations relying on network devices like FortiGate firewalls. The sheer scale and multi-vendor nature of this operation demand heightened vigilance from all sectors.
For more details, visit our website.
Source: Link
Leave a comment