FortiBleed: FortiGate Firewalls Used as Credential Stealers

The FortiBleed campaign represents a significant threat, leveraging compromised FortiGate firewalls to facilitate large-scale credential theft. Threat actors have engineered a sophisticated Golang-based sniffer, turning network security appliances into tools for data exfiltration. This ongoing global operation has reportedly targeted an estimated 430,000 FortiGate firewalls, leading to the identification of 110 million credentials. The implications for organizations relying on these firewalls for their perimeter defense are substantial, highlighting a critical compromise of trust in foundational security infrastructure. The details of this campaign were brought to light by Dark Reading.

Technical Analysis of the FortiBleed Campaign

The core of the FortiBleed operation involves a custom-developed sniffer written in Golang. This choice of programming language offers several advantages to threat actors, including cross-platform compatibility, ease of compilation into static binaries, and a relatively small footprint, making detection more challenging. Once deployed on a compromised FortiGate firewall, the sniffer monitors network traffic passing through the appliance.

How Attackers Exploit FortiGate Firewalls for Credential Theft

Firewalls, by their nature, sit at critical junctures in network traffic flow, granting them visibility into vast amounts of data, including authentication attempts and network logins. The Golang sniffer exploits this position, specifically designed to identify and extract sensitive authentication information, such as usernames and passwords, from intercepted traffic. This type of malware represents a significant evolution in attack methodology, as it repurposes a security device for malicious intent, effectively bypassing traditional perimeter defenses from within. The sheer scale, impacting hundreds of thousands of firewalls and exposing over a hundred million credentials, underscores the campaign’s global reach and the effectiveness of the threat actors’ TTPs.

The stolen credentials can be used for various nefarious purposes, including Lateral Movement within victim networks, accessing cloud services, or facilitating further attacks such as Ransomware deployment. The compromise of a firewall, a device meant to enforce security policies, provides attackers with a vantage point that can undermine an organization’s entire security posture.

Impact and Prioritization for Defenders

The FortiBleed campaign demands immediate attention from security professionals. The compromise of firewall devices not only exposes sensitive credentials but also indicates a deeper penetration into an organization’s network infrastructure. Attackers who control a firewall can manipulate traffic, create backdoors, or even launch further attacks with a high degree of stealth. This makes the FortiBleed campaign mitigation steps a top priority for security teams.

Organizations must consider the implications of widespread credential exposure. Even if multi-factor authentication (MFA) is in place, stolen credentials can be leveraged in sophisticated Phishing campaigns or to bypass MFA mechanisms if other vulnerabilities exist.

Actionable Recommendations and Mitigations

Defenders must adopt a proactive and multi-layered approach to address the threat posed by FortiBleed and similar campaigns.

• Audit FortiGate Configurations and Logs: Regularly review firewall configurations for unauthorized changes, suspicious rules, or unexplained processes. Analyze logs for unusual activity, outbound connections to unknown C2 infrastructure, or excessive login attempts. Implement robust SIEM correlation rules to identify potential indicators of compromise (IoCs).
• Strengthen Authentication Protocols:
  • Enforce strong, unique passwords across all systems, especially for administrative accounts and those managed by FortiGate devices.
  • Mandate multi-factor authentication (MFA) for all external and internal access to critical systems, including firewall management interfaces.
• Network Segmentation: Implement strict network segmentation to limit the blast radius of any potential compromise. This ensures that even if one segment is breached, lateral movement is significantly hindered.
• Regular Patching and Firmware Updates: Ensure all FortiGate devices are running the latest stable firmware versions. While the source does not specify a CVE, keeping systems patched reduces the attack surface for known vulnerabilities that might be used for initial access.
• Implement Zero Trust Principles: Adopt a Zero Trust architecture, continuously verifying every user and device, regardless of their location. Assume breach and enforce least privilege access.
• Enhanced Monitoring to Detect Golang Sniffer FortiGate Activity:
  • Deploy EDR solutions on any internal systems connected to or managed by FortiGate devices that can detect unusual process execution or file modifications.
  • Utilize network anomaly detection tools to spot unusual traffic patterns or data exfiltration from firewall interfaces.
  • Regularly scan FortiGate devices for unexpected binaries or persistent modules that could indicate the presence of a Golang sniffer.

The FortiBleed campaign serves as a stark reminder that even trusted security appliances can become targets. Vigilance, robust security practices, and continuous monitoring are essential to protect FortiGate firewalls from credential theft and against such sophisticated and widespread threats.