FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems

What Happened

A massive data leak called 'FortiBleed' has exposed the login details for over 73,000 Fortinet firewalls used by organizations worldwide. A Russian-speaking hacker group stole these credentials to break into corporate networks, affecting government, healthcare, and defense sectors. This is highly critical because attackers can use these valid logins to bypass security and steal sensitive internal data. Organizations using Fortinet firewalls should immediately change their passwords, enable multi-factor authentication, and check their systems for signs of unauthorized access.

Key Takeaways

• The 'FortiBleed' dataset contains valid administrative and SSL VPN credentials for over 73,000 FortiGate firewalls globally.
• Threat actors intercepted SSL VPN authentication hashes, likely via exported configuration files, and cracked them offline using a 45-GPU cluster.
• The campaign is attributed to a Russian-speaking threat group and has impacted critical infrastructure and a NATO defense contractor.
• Post-compromise activity includes Active Directory enumeration, password spraying, and SMB/DFS data collection for exfiltration.
• Billions of active credential attempts were also observed targeting FortiGate and MSSQL systems.

Affected Systems

• Fortinet FortiGate firewalls
• FortiOS
• Microsoft SQL Server (MSSQL)
• Active Directory

Attack Chain

Threat actors conducted billions of credential attempts against FortiGate and MSSQL systems while also intercepting SSL VPN authentication hashes, likely by exporting FortiGate configuration files. They utilized a 45-GPU cluster managed by Hashtopolis to crack the intercepted hashes offline and recover plaintext credentials. Using these valid credentials, the attackers accessed target networks and executed Python and shell scripts for Active Directory enumeration, password spraying, and SMB/DFS data collection. Finally, the attackers cleared logs to remove evidence of their intrusion and staged the collected data for exfiltration.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but notes that Recorded Future customers receive automated credential alerts if their domains are exposed in the dataset.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can detect the post-compromise execution of Python-based AD enumeration and SMB collection scripts, but will not have visibility into the offline hash cracking or initial VPN access. Network Visibility: High — Network telemetry is crucial for identifying the massive volume of credential stuffing attempts against FortiGate and MSSQL, as well as anomalous SMB/DFS traffic during data collection. Detection Difficulty: Hard — The initial access relies on valid credentials obtained through offline cracking, which leaves no logs on the target system and blends in with legitimate remote access traffic.

Required Log Sources

• VPN Authentication Logs
• Firewall Management Logs
• Active Directory Security Logs (Event ID 4624, 4625)
• SMB/Share Access Logs

Hunting Hypotheses

Control Gaps

• Lack of Multi-Factor Authentication (MFA) on VPN and management interfaces
• Internet-exposed firewall management interfaces

Key Behavioral Indicators

• Execution of scripts matching patterns like spray_.sh or spray_.py
• Presence of log-clearing markers following extensive Active Directory enumeration

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Rotate all FortiGate administrative and SSL VPN credentials immediately.
• Review Fortinet logs for unusual logins, admin sessions, configuration changes, and new account creations.
• Consider replacing or isolating devices that exhibit suspicious activity or unauthorized configuration exports.

Infrastructure Hardening

• Restrict or completely remove internet exposure for firewall management interfaces.
• Enforce multi-factor authentication (MFA) on all remote and administrative access points.
• Ensure FortiOS is patched to the latest stable version and review device hardening settings.

User Protection

• Monitor Active Directory for signs of password spraying or unauthorized enumeration.

Security Awareness

• Educate administrators on the severe risks associated with exposing management interfaces to the public internet.

MITRE ATT&CK Mapping

• T1110.001 - Brute Force: Password Guessing
• T1110.002 - Brute Force: Password Cracking
• T1110.003 - Brute Force: Password Spraying
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1078 - Valid Accounts
• T1087.002 - Account Discovery: Domain Account
• T1039 - Data from Network Shared Drive
• T1070 - Indicator Removal

Additional IOCs

• Other:
  • fg_capture.log - Sniffer log associated with Fortinet credential capture found on attacker infrastructure.
  • bot.py - Cracking orchestration file tied to Telegram-coordinated tasking.
  • hashpanel.log - Log file associated with hash cracking orchestration.
  • setup_hashcat.sh - Shell script used to set up Hashcat for offline password cracking.
  • setup_hashtopolis.sh - Shell script used to set up Hashtopolis for distributed password cracking.
  • ad_enum.py - Python script used for Active Directory and LDAP enumeration.
  • ad_full_audit.py - Python script used for comprehensive Active Directory enumeration.
  • spray_results.txt - Text file containing the results of password spraying attacks.
  • backup_dfs.py - Python script used for SMB/DFS collection and staged exfiltration.
  • backup_dfs2.py - Python script used for SMB/DFS collection and staged exfiltration.
  • spider.py - Python script used for crawling and collecting data from SMB shares.
  • smb_test.py - Python script used to test access to SMB shares.