FortiBleed Campaign Targeted 75K Fortinet Firewalls & VPN Gateways Worldwide

A massive credential exposure campaign dubbed FortiBleed has leaked the administrative credentials of approximately 75,000 internet-facing Fortinet/FortiGate firewall devices. The data was originally spotted by Hunt Intelligence Inc. feed and verified by researchers Volodymyr “Bob” Diachenko, Kevin Beaumont and Hudson Rock, comprises roughly 50% of all internet-facing Fortinet firewalls globally. The leaked data is heavily formatted in a manner characteristic of commercial eCrime initial access brokers (IABs), categorized by victim revenue, industry, and geography to maximize monetization potential.

Severity: Critical

Threat Actor Profile

• The campaign is orchestrated by a multi-operator, Russian-speaking cybercriminal group.
• The operation’s footprint is staggering: attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers.
• The leaked data explicitly categorizes victims by company type, revenue, and country – a hallmark of eCrime syndicates packaging initial access for sale on the dark web.

Attack Methodology

1. Initial Access: Threat actors swept the internet for exposed Fortinet instances where the FortiGate Management Interface was left publicly accessible. The data appears to originate from device configuration exports, allowing attackers to extract and brute-force credentials offline.
2. Credential Cracking: Attackers actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis.
3. Exploited Weakness in Credential Storage: While Fortinet hardened admin credential storage in early 2025 by moving to PBKDF2, this protection only applied if administrators actively logged in after applying the firmware updates. Consequently, many devices continued storing credentials using the older, more vulnerable SHA-256 with Salt format, making them highly susceptible to offline brute-forcing once configuration files were extracted.
4. Post-Compromise Pivot: Once the perimeter is breached, operators systematically pivot directly into internal Active Directory environments to establish deep network persistence.

Real-World Impact

• Confirmed full network compromises occurred at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated.
• Notable named victims include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and thousands of others including government entities and critical infrastructure providers.
• Top affected countries (by device count): India (9,629), United States (6,352), Taiwan (3,637), Mexico (3,197), Turkey (3,032), Thailand (2,939).
• Top affected sectors: IT Services (1,975), Telecommunications (574), Industrial Equipment (467), Government Services (454), Financial Services (460), Healthcare (365).

Differentiation From Prior Incidents

The IP addresses are largely different from the prior Belsen Group leak of 15,000 devices. In this case, most devices are still online – this is not data from 2022. Many of the sampled devices are on fairly recent patches.

Recommendations

1. Organizations can verify exposure via Hudson Rock’s free lookup portal at hudsonrock[.]com/fortinet
2. Remove internet exposure of the FortiOS Management Interface immediately.
3. Rotate all admin credentials and review login history for suspicious activity.
4. Upgrade to latest FortiOS and have all admins log back in to trigger re-hashing under PBKDF2 standard.
5. Assume compromise if any suspicious successful admin logins are observed device replacement may be warranted in severe cases.
6. Enforce MFA on all admin interfaces and external gateways.

Source:

• https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/
• https://www.linkedin.com/feed/update/urn:li:activity:7472221360279207936/
• https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/
• https://doublepulsar.com/fortibleed-75k-fortinet-firewalls-have-admin-passwords-cracked-60299faa65f8

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.