FortiBleed: 110 Million Credentials Harvested via FortiGate Firewalls

The cybersecurity environment has witnessed a significant surge in automated exploitation specifically targeting network perimeter devices. According to The Hacker News, a Russian-speaking initial access broker (IAB) has orchestrated a massive campaign dubbed “FortiBleed.” This operation is estimated to have harvested approximately 110 million credentials by targeting over 430,000 FortiGate firewalls globally since February 2026.

The primary objective of the threat actor appears to be financial gain, likely through the sale of these harvested credentials on underground forums or by providing direct access to corporate networks to other Ransomware affiliates.

Technical Analysis: Russian-Speaking Initial Access Broker Tactics

The FortiBleed campaign distinguishes itself through its sheer scale and the systematic approach used to identify and exploit targets. The threat actor employs a multi-stage TTP to compromise edge devices. Initially, the attackers conduct broad internet scanning to identify exposed FortiGate management interfaces. These interfaces, when left reachable from the public internet, serve as the primary entry point for the campaign.

How to Detect FortiBleed Credential Harvesting

Once a target is identified, the operation shifts to automated credential harvesting and brute-forcing. The attackers leverage massive lists of previously leaked credentials to attempt unauthorized access. If successful, they deploy bespoke malware designed to persist on the FortiOS environment and extract further sensitive information.

Defenders looking to detect FortiBleed credential harvesting should monitor SOC logs for unusual authentication patterns originating from known malicious IP ranges or anonymization services. Specifically, an influx of failed login attempts followed by a single successful login from an unfamiliar geolocation is a primary IoC.

The use of bespoke malware suggests that the IAB has deep technical knowledge of FortiGate architectures. This malware often bypasses standard EDR solutions because it resides within the firmware or specialized operating system of the firewall, which is frequently a blind spot for traditional security monitoring. The persistence mechanism allows the attacker to maintain access even if administrative passwords are changed, provided the underlying malware is not eradicated.

The Role of Initial Access Brokers in the Modern Threat Landscape

Initial access brokers serve as the middlemen of the cybercrime world. By compromising systems through CVE vulnerabilities or utilizing brute-force, they gain a foothold within a target organization. This access is then sold to APT groups or ransomware operators who specialize in data exfiltration and extortion.

The 110 million credentials collected in this campaign represent a massive repository that could facilitate Lateral Movement across thousands of corporate networks. When an edge device like a firewall is compromised, the attacker essentially bypasses the Zero Trust boundary, allowing them to intercept traffic, redirect users to Phishing pages, or establish C2 channels within the internal network.

FortiGate Firewall Security Best Practices and Recommendations

To mitigate the risks associated with FortiBleed, organizations must move beyond simple password-based authentication. The following steps are recommended to secure the perimeter:

• Enforce Multi-Factor Authentication (MFA): Ensure MFA is mandatory for all administrative access to FortiGate devices. This is the most effective defense against brute-force and credential stuffing attacks.
• Restrict Management Access: Never expose the management interface to the public internet. Use a dedicated management VLAN or restrict access to specific, trusted IP addresses using Local-In policies.
• Regular Firmware Audits: While this campaign emphasizes brute-force, keeping firmware updated prevents attackers from leveraging RCE exploits to gain Privilege Escalation.
• Log Centralization: Integrate firewall logs with a SIEM to identify anomalies in administrative logins and unauthorized configuration changes.
• Credential Rotation: Regularly rotate administrative credentials and ensure that the same passwords are not used across multiple critical systems to prevent Supply Chain Attack scenarios where one leak compromises the entire infrastructure.

The scale of 430,000 targeted firewalls indicates that this is not a surgical strike but a dragnet operation. Organizations failing to implement these security measures remain highly vulnerable to becoming part of the IAB’s inventory.