FortiBleed Turns Hacked FortiGate Firewalls Into Credential Collectors
FortiBleed began as mass password guessing. Then it grew into an attack chain, where hijacked firewalls gathered fresh credentials for the next breach. A new timeline shows that the published FortiGate password database was only one part of the operation.
From Brute Force to a Self-Feeding Chain
In February, the attackers began scanning the internet at scale. They guessed passwords against RDWeb, Sophos and Citrix SSL VPN, open RDP services, and Microsoft SQL Server databases. Later, the operators switched to FortiGate. The first leak held data from nearly 74,000 Fortinet devices. The true scale of the credential harvest, however, ran much wider.
Not a New Vulnerability, Fortinet Says
Fortinet does not tie the campaign to a new vulnerability. The vendor believes the attackers reuse data from earlier incidents and guess weak passwords on devices without two-factor protection. Claims about old, unpatched bugs used to bypass authentication need more confirmation. In its current advisory, Fortinet names no specific CVE. You can read the vendor’s PSIRT analysis for its position.
Inside FortigateSniffer
After gaining admin rights, the operators connected to FortiGate over SSH. Then they ran FortigateSniffer, a tool written in Go. The tool abuses the built-in FortiOS command that administrators use to troubleshoot network and authentication problems. So the hijacked firewall started intercepting the traffic passing through it.
Since May, FortigateSniffer tracked data across 24 protocols. The list included Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet. The script hunted for passwords, hashes, Kerberos tickets, NTLM data, tokens, and other login secrets.
Turning Traffic Into Cracked Passwords
A component called SNIFTRAN turned the captured traffic into PCAP files. Python tools then pulled cleartext credentials from the files, plus NTLM and Kerberos hashes for Hashcat. Passwords for SMTP, IMAP, POP3, MySQL, and RADIUS came through without any cracking, since those services often sent data with weak protection.
The hashes went to rented GPUs for password cracking. CloudSEK found six cloud instances with roughly 36 GPUs. Prodaft, meanwhile, studied the operators’ server infrastructure. Working passwords were tested inside breached networks. The operators used them to widen access and added them to a catalog for sale to other groups.
Who Is Behind It
Researchers link the operation to a Russian-speaking initial access broker. That kind of actor breaks into networks and resells the access. Unit 42 found an account named SantaAd on the Exploit forum. That account claimed the campaign and offered the data for sale. However, Unit 42 did not confirm a link between the account and FortiBleed. SOCRadar reports that part of the operators’ infrastructure was still running when the report went out.
What FortiGate Owners Should Do
FortiGate owners should act quickly. Change passwords right away. End active administrator and VPN sessions. Turn on two-factor protection. Review login logs carefully. Finally, close external access to the management panel. These steps cut off the harvested credentials and the firewall-as-listener trick at once.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
