After several days spent reverse-engineering the attacker’s environment, the SOCRadar research team has published a new, in-depth technical analysis on the FortiBleed campaign, including the attacker’s infrastructure, tooling, and methods.
Summary:
FortiBleed is a large-scale, still-active credential-harvesting campaign targeting internet-facing Fortinet FortiGate firewalls — hundreds of thousands of devices in scope worldwide. It is important to state plainly what it is not: this is not a zero-day or a newly disclosed software vulnerability. It is a credential and access operation. Attackers compromise exposed firewalls, harvest the authentication traffic and credentials passing through them, crack what they capture, and sell that access on. The actor fits the profile of a financially-motivated initial access broker — the kind whose intrusions become the front end of someone else’s ransomware or data-extortion event.
Why it matters — and the number to focus on. At the time of writing, more than 19,000 FortiGate devices were still being actively sniffed by the attackers — part of a broader 80,553 identified targets. That present tense is the point: this is not a historical data dump to clean up after, but a live operation, running since at least February 2026, quietly capturing authentication traffic as users log in each day. Because the firewall sits at the network edge, a compromise there can expose an organization’s entire identity layer — and the campaign reaches deep into supply chains, since MSPs and IT-services firms that manage Fortinet devices for others are squarely in the targeting.
What’s new in this report:
- A custom Golang tool (“FortigateSniffer”) that abuses a legitimate FortiOS diagnostic command to passively capture authentication traffic from a compromised firewall — leaving no malware behind and largely evading traditional detection.
- Targeting beyond Fortinet. The attacker’s own infrastructure contained reconnaissance/target lists for other edge platforms — a 29,270-entry Citrix login-URL list and roughly 247,584 Sophos SSL-VPN portals — showing the operation’s scanning was multi-vendor, not Fortinet-exclusive. (To be precise: these are targeting artifacts; we did not find captured credentials for the Citrix or Sophos tracks, so we characterize them as in-scope for reconnaissance rather than confirmed compromise.)
- Attacker infrastructure far larger than the single exposed server first reported — 150+ servers — plus the operators’ use of rented GPU compute and agentic tooling.
What goes deeper: The report maps the full attack chain end to end — reconnaissance, initial access, credential cracking, lateral movement into Active Directory, and exfiltration — with indicators of compromise, file hashes, a MITRE ATT&CK mapping, and the attribution clues pointing to a Russian-speaking access broker.
What it corroborates: Several findings independently align with other published research, which we think is worth noting rather than glossing over: the Sophos figure (~247,584) matches what others observed, as do the scale of the MSSQL brute-forcing and the confirmed deep intrusion at a defense contractor. Where the picture is still uncertain — full attribution, for instance — is noted as well.
To view the full report, see Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
Related
This entry was posted on June 22, 2026 at 12:45 pm and is filed under Commentary with tags FortiBleed. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FortiBleed – New SOCRadar In-Depth Technical Analysis Published
After several days spent reverse-engineering the attacker’s environment, the SOCRadar research team has published a new, in-depth technical analysis on the FortiBleed campaign, including the attacker’s infrastructure, tooling, and methods.
Summary:
FortiBleed is a large-scale, still-active credential-harvesting campaign targeting internet-facing Fortinet FortiGate firewalls — hundreds of thousands of devices in scope worldwide. It is important to state plainly what it is not: this is not a zero-day or a newly disclosed software vulnerability. It is a credential and access operation. Attackers compromise exposed firewalls, harvest the authentication traffic and credentials passing through them, crack what they capture, and sell that access on. The actor fits the profile of a financially-motivated initial access broker — the kind whose intrusions become the front end of someone else’s ransomware or data-extortion event.
Why it matters — and the number to focus on. At the time of writing, more than 19,000 FortiGate devices were still being actively sniffed by the attackers — part of a broader 80,553 identified targets. That present tense is the point: this is not a historical data dump to clean up after, but a live operation, running since at least February 2026, quietly capturing authentication traffic as users log in each day. Because the firewall sits at the network edge, a compromise there can expose an organization’s entire identity layer — and the campaign reaches deep into supply chains, since MSPs and IT-services firms that manage Fortinet devices for others are squarely in the targeting.
What’s new in this report:
What goes deeper: The report maps the full attack chain end to end — reconnaissance, initial access, credential cracking, lateral movement into Active Directory, and exfiltration — with indicators of compromise, file hashes, a MITRE ATT&CK mapping, and the attribution clues pointing to a Russian-speaking access broker.
What it corroborates: Several findings independently align with other published research, which we think is worth noting rather than glossing over: the Sophos figure (~247,584) matches what others observed, as do the scale of the MSSQL brute-forcing and the confirmed deep intrusion at a defense contractor. Where the picture is still uncertain — full attribution, for instance — is noted as well.
To view the full report, see Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
Share this:
Like this:
Related
This entry was posted on June 22, 2026 at 12:45 pm and is filed under Commentary with tags FortiBleed. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.