A Russian initial access broker (IAB) is behind a sprawling credential-harvesting campaign targeting more than 430,000 FortiGate firewalls globally, according to recent research from cybersecurity firm SOCRadar. Dubbed FortiBleed, the operation has been active since at least February 2023 and has evolved into a multi-vendor threat, impacting not just Fortinet devices but also Sophos, Citrix, Microsoft, and other platforms. The campaign underscores the escalating risks posed by IABs who profit from selling network access to ransomware gangs and state-sponsored actors.
Scope and Scale of the Campaign
SOCRadar discovered the FortiBleed campaign last week, but its roots trace back to early 2023. Initial reports suggested the attacks were exclusive to Fortinet, but further analysis revealed a broader strategy: the attackers compromise exposed firewalls, harvest authentication traffic and credentials passing through them, crack captured data, and sell that access on underground markets. The firm estimates that over 430,000 FortiGate firewalls are within the campaign’s scope, and of the 80,000 identified targets, more than 19,000 are still being actively sniffed. The primary tool used is FortigateSniffer, a custom Golang utility that abuses legitimate FortiOS diagnostic commands to passively capture authentication traffic across 24 protocols.
The campaign has already compromised over 110 million credentials, according to SOCRadar. These credentials span multiple protocols, including SSH, RDP, MSSQL, NTLM, Kerberos, and various VPN solutions. The attackers have deployed hundreds of servers and more than 650 credential-harvesting pipelines to sustain the operation. Because firewalls sit at the network edge, a compromise can expose an organization’s entire identity layer. The threat also reaches deep into supply chains, especially as managed service providers (MSPs) and IT firms that manage Fortinet devices for clients are squarely in the targeting.
Attack Methodology
The attack chain begins with reconnaissance using tools like Masscan and Shodan to identify vulnerable FortiGate appliances exposed to the internet. The attackers then perform SSH brute-force attacks to gain initial access. Once inside, they deploy network sniffers that capture cleartext credentials and password hashes. The captured data is then cracked offline using custom dictionaries. SOCRadar identified two credential sources maintained by the attackers: one combines data from previous leaks with purchased datasets targeting multiple vendors, and the other includes 16 dictionaries specifically curated for FortiGate admin accounts. After cracking, the credentials are validated and used for lateral movement against Active Directory domains, network shares, and other services. The attackers also rely on stolen session cookies to maintain persistent access.
FortigateSniffer is the cornerstone of the operation. SOCRadar notes that the tool was likely built with the assistance of CyberStrike, an AI-powered autonomous penetration testing agent. This suggests a high level of sophistication, possibly indicating the involvement of a well-resourced threat actor. The sniffer abuses the legitimate FortiOS diagnostic command “diag sniff” to intercept traffic without triggering typical security alarms. The earliest artifacts from February 2023 show scans of Sophos SSL-VPN and RDWeb portals, with later expansion to MSSQL credentials, RDP sessions, Citrix SSL-VPNs, and RADIUS, NTLM, and Kerberos data.
Impact on Victims and Supply Chains
Among the most concerning revelations is the compromise of a NATO-aligned defense contractor. On June 15, 2023, the attackers successfully cracked Kerberos hashes offline and immediately exfiltrated DFS backup data from the contractor’s network. This incident suggests that the threat actor behind FortiBleed may collaborate with Russian state-sponsored groups, or alternatively, could sell acquired access to ransomware gangs. The campaign shows a heavy focus on small and medium businesses (SMBs) with fewer than 200 employees, though larger enterprises and government agencies have also been hit. Sectors targeted include healthcare, finance, education, and technology, with notable emphasis on the United States and India.
Because the attackers target firewalls that often serve as gateways for multiple clients (especially in MSP environments), the cascading effect can be devastating. An initial compromise of a single firewall can lead to the theft of credentials for hundreds of downstream organizations. This supply chain angle amplifies the risk compared to traditional credential harvesting. Organizations that use Fortinet firewalls should immediately audit their devices for signs of compromise, rotate credentials, and enable multi-factor authentication wherever possible.
Broader Context and Mitigation
The FortiBleed campaign is part of a larger trend of IABs increasingly targeting network edge devices. Firewalls, VPN concentrators, and remote access solutions are prime targets because they are often exposed to the internet and may run outdated firmware. Threat actors exploit known vulnerabilities, weak passwords, or default configurations to gain footholds. Once inside, they can remain undetected for months, as the FortiBleed case demonstrates—the campaign has been active for over five months.
Fortinet has responded by releasing updates and advisories, but the onus remains on users to patch and harden their devices. Recommendations from SOCRadar include: restricting SSH access to trusted IPs, using strong unique passwords, enabling logging and monitoring, deploying endpoint detection and response (EDR) solutions on management interfaces, and segmenting networks to limit lateral movement. Organizations should also implement zero-trust architectures and regularly audit their Active Directory environments for signs of credential abuse.
The use of AI-assisted tools like CyberStrike in building FortigateSniffer signals a new level of automation in cybercrime. As IABs become more sophisticated, defenders must adopt equally advanced detection methods. Machine learning-based anomaly detection, behavior analysis, and threat intelligence sharing can help identify unusual traffic patterns indicative of sniffer activity. The cybersecurity community is closely watching the evolution of the FortiBleed campaign, as it may presage similar operations targeting other firewall vendors.
Source: SecurityWeek News