FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

Staff Editor 2026-06-23
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html

Publish Date: 2026-06-23 14:20:00

Source Domain: thehackernews.com

Ravie LakshmananJun 23, 2026Initial Access Broker / Firewall Security

A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally.

The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.

“Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said [PDF] in a fresh report. “The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.”

Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials.

It’s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some “parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year. 

“The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,” the SOCRadar explained. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer…

Source

More Stories

White House PQC order ‘lights a fire’ under post-quantum transition

White House PQC order ‘lights a fire’ under post-quantum transition

Staff Editor 2026-06-23
House passes Rep. Bresnahan’s cybersecurity legislation

House passes Rep. Bresnahan’s cybersecurity legislation

Staff Editor 2026-06-23
How AI Is Changing Cybercrime And Cybersecurity

How AI Is Changing Cybercrime And Cybersecurity

Staff Editor 2026-06-23

Terms and Conditions - Privacy Policy