Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory
FortiBleed is a severe, large-scale credential compromise campaign targeting internet-facing Fortinet FortiGate devices. Threat actors utilize a sophisticated pipeline, including the custom CyberStrike Harvester, to extract and crack credentials from device configurations and traffic captures, subsequently pivoting into internal networks for Active Directory enumeration and data exfiltration.
- ip193[.]8[.]187[.]42SSH exfiltration and staging server used to stream DFS/SMB collection.
- ip85[.]11[.]187[.]8Hashtopolis API endpoint and login panel used for distributed password cracking.
- md57f74bb6ba185978134c318bc5f91d23charvest_orig - CyberStrike Harvester v1.5
- sha2562758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98harvest_orig - CyberStrike Harvester v1.5 Linux ELF binary used to extract credentials from captures.
- sha25638353f95fff270f4e3a9d7add8c64666020dd668ce66e15969a736ec48cadc59ad_enum.py - LDAP enumeration tooling
- sha2564253dd1a4c0867b0be7732f75b2f630cebfb7fed94270e15fb3b12ae40546d01backup_dfs.py - SMB/DFS triage collection
- sha256479ae5fd7274439ddfa27bc03298ebfdfc5ff17f6412acccf74d4dbd90d94218bot.py - Telegram Hashcat bot used for operator-side cracking orchestration.
- sha256874bcb1c3d050a5b5b333a2198f504fcb27927c2abdd43b07440188a380c52d5ad_full_audit.py - LDAP/AD audit tooling
- sha2569eaa577c8ba71646928c1c34c3145536b0498f65f26060a6ba00744bcef57644backup_dfs2.py - SMB/DFS full and incremental collection script.
- urlhxxp://85[.]11[.]187[.]8:8443/Hashtopolis login panel URL.
Detection / HunterGoogle
What Happened
A massive cyberattack campaign named FortiBleed is targeting Fortinet firewall and VPN devices worldwide. The attackers are stealing configuration files and network traffic to harvest and crack passwords, which they then use to break into internal company networks and steal data. This is a severe threat to any organization using exposed Fortinet devices. To protect themselves, organizations should immediately reset all administrative and VPN passwords, terminate active sessions, and enforce multi-factor authentication.
Key Takeaways
- FortiBleed is a massive credential compromise campaign targeting internet-facing Fortinet FortiGate devices globally.
- The campaign relies on a credential pipeline rather than traditional malware, utilizing credential stuffing, configuration harvesting, and offline cracking.
- Threat actors use a custom tool called CyberStrike Harvester v1.5 to extract credentials, hashes, and session tokens from network captures and FortiGate text files.
- Cracked credentials are used to pivot into internal networks via SSL VPNs, leading to AD enumeration, SMB spidering, and DFS exfiltration.
- Remediation requires full credential resets, session invalidation, and structural changes to password policies, not just patching.
Affected Systems
- Fortinet FortiGate firewalls
- Fortinet SSL VPN gateways
- FortiOS 7.6.x
- FortiOS 7.4.x
- FortiOS 7.2.x
- Active Directory
- SMB/DFS shares
Attack Chain
Threat actors gain initial access to FortiGate devices via credential stuffing and password spraying. They export device configurations and capture network traffic, which is processed offline by CyberStrike Harvester to extract hashes and session tokens. These hashes are cracked using a distributed GPU cluster managed via Telegram and Hashtopolis. Validated credentials are then used to pivot back into the victim's internal network via SSL VPN, where the attackers perform Active Directory enumeration, SMB share spidering, and exfiltrate sensitive data over SSH.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Arctic Wolf
A YARA rule is provided by Arctic Wolf to detect the CyberStrike Harvester v1.5 Linux ELF binary.
Detection Engineering Assessment
EDR Visibility: Medium — EDR on the FortiGate appliance itself is non-existent, but EDR on internal endpoints can detect the post-exploitation LDAP enumeration, SMB spidering, and SSH exfiltration originating from VPN IP pools. Network Visibility: High — The attack relies heavily on network-based actions: SSL VPN authentications, LDAP queries, Kerberos ticket requests, SMB share access, and outbound SSH streams. Detection Difficulty: Moderate — Initial access uses valid credentials, making it hard to distinguish from legitimate logins without behavioral analytics (e.g., impossible travel, unusual VPN source IPs). Post-exploitation activity is noisy but originates from trusted VPN pools.
Required Log Sources
- VPN Authentication Logs
- Active Directory Security Logs
- SMB Access Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Attackers are using compromised VPN credentials to perform LDAP enumeration for privileged accounts. | Active Directory Security Logs, Network Flow Logs | Discovery | Medium |
| Attackers are exfiltrating data via SSH from internal servers to external IPs. | Network Flow Logs | Exfiltration | Low |
| Attackers are spidering SMB shares for sensitive files originating from VPN IP pools. | SMB Access Logs, EDR File Read events | Collection | Medium |
Control Gaps
- Lack of MFA on VPN/Admin interfaces
- Inadequate monitoring of VPN IP pool traffic
- Legacy password hashes retained in FortiOS configurations
Key Behavioral Indicators
- LDAP queries for DONT_REQ_PREAUTH or SPN-bearing accounts originating from VPN IP pools
- Bulk recursive reads of SMB shares from VPN IP pools
- Outbound SSH connections from internal file servers to unknown external IPs
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider terminating all active SSL VPN and administrative sessions immediately.
- Evaluate resetting all administrative and VPN credentials, forcing re-authentication to invalidate legacy exported password material.
Infrastructure Hardening
- Consider enabling phishing-resistant MFA on all administrative and SSL VPN accounts.
- Evaluate restricting management interface access to a dedicated jump host on a management VLAN.
- If using FortiOS, consider enabling the 'login-lockout-upon-weaker-encryption' or 'login-lockout-upon-downgrade' settings in the system password policy to strip legacy hashes.
User Protection
- Consider removing or renaming generic and default administrative accounts.
- Evaluate auditing FortiGate configuration export events and treating downloaded configuration files as sensitive credential material.
Security Awareness
- Consider training administrators on the risks of configuration file exposure and the importance of secure credential management.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1133 - External Remote Services
- T1110.004 - Credential Stuffing
- T1110.003 - Password Spraying
- T1602.002 - Network Device Configuration Dump
- T1040 - Network Sniffing
- T1539 - Steal Web Session Cookie
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files
- T1558.003 - Kerberoasting
- T1558.004 - AS-REP Roasting
- T1087.002 - Domain Account Discovery
- T1069.002 - Domain Groups Discovery
- T1135 - Network Share Discovery
- T1018 - Remote System Discovery
- T1046 - Network Service Discovery
- T1021.002 - SMB/Windows Admin Shares
- T1039 - Data from Network Shared Drive
- T1119 - Automated Collection
- T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- T1020 - Automated Exfiltration
- T1102.002 - Web Service: Bidirectional Communication
Additional IOCs
- Urls:
hxxp://85[.]11[.]187[.]8:8443/- Hashtopolis login panel URL.
- File Hashes:
7f74bb6ba185978134c318bc5f91d23c(MD5) - harvest_orig - CyberStrike Harvester v1.5874bcb1c3d050a5b5b333a2198f504fcb27927c2abdd43b07440188a380c52d5(SHA256) - ad_full_audit.py - LDAP/AD audit tooling38353f95fff270f4e3a9d7add8c64666020dd668ce66e15969a736ec48cadc59(SHA256) - ad_enum.py - LDAP enumeration tooling4253dd1a4c0867b0be7732f75b2f630cebfb7fed94270e15fb3b12ae40546d01(SHA256) - backup_dfs.py - SMB/DFS triage collection
- File Paths:
/root/sniff/PANEL/- Operator sniffer/capture results path./root/sniff/base/results_EU/- Operator sniffer/capture results path./root/FORTIGATE/- Credential-cleaning and cracking output path./root/HASHCAT_pro/- Credential-cleaning and cracking output path./root/hashcat-ultimate/- Credential-cleaning and cracking output path.
- Command Lines:
- Purpose: Stream collected SMB/DFS files over SSH to a remote staging server for exfiltration. | Tools:
sshpass,ssh,cat| Stage: Exfiltration
- Purpose: Stream collected SMB/DFS files over SSH to a remote staging server for exfiltration. | Tools: