A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally.
The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.
“Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said [PDF] in a fresh report. “The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.”
Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials.
It’s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some “parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year.Â
“The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,” the SOCRadar explained. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments.”
Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that’s orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026.
In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines on May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included –
- 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
The FortiBleed campaign takes place over five stages –
- Perform widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls, followed by using a custom utility dubbed FortiProbe-fast and GeoSplit to filter…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
