{"id":279872,"date":"2026-06-23T14:20:00","date_gmt":"2026-06-23T18:20:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/fortibleed-targeted-fortigate-firewalls-in-110-million-credential-harvesting-operation\/"},"modified":"2026-06-23T16:40:10","modified_gmt":"2026-06-23T20:40:10","slug":"fortibleed-targeted-fortigate-firewalls-in-110-million-credential-harvesting-operation","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/fortibleed-targeted-fortigate-firewalls-in-110-million-credential-harvesting-operation\/","title":{"rendered":"FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fortibleed-targeted-fortigate-firewalls.html\">FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fortibleed-targeted-fortigate-firewalls.html\">https:\/\/thehackernews.com\/2026\/06\/fortibleed-targeted-fortigate-firewalls.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-23 14:20:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 23, 2026<\/span><\/span><span class=\"p-tags\">Initial Access Broker \/ Firewall Security<\/span><\/p>\n<p>A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally.<\/p>\n<p>The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls.<\/p>\n<p>&#8220;Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,&#8221; SOCRadar said [PDF] in a fresh report. &#8220;The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.&#8221;<\/p>\n<p>Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials.<\/p>\n<p>It&#8217;s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some &#8220;parts of the workflow.&#8221; Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year.\u00a0<\/p>\n<p>&#8220;The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,&#8221; the SOCRadar explained. &#8220;The actor targets multiple sectors and regions, with notable emphasis on the United States and India. The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fortibleed-targeted-fortigate-firewalls.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation https:\/\/thehackernews.com\/2026\/06\/fortibleed-targeted-fortigate-firewalls.html Publish Date: 2026-06-23 14:20:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":279874,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJkhDD5qINhfAhBFXG2C13raQF6T6zAOmnHlArhnLUP5z0ifBzpyq6M_4n11cgynQfZW0mxJWnYU-TDYSpKQHYFHvXsZHCB7uoMFg0w02yZILY-JLMm2-uqm-CA_wIqZHhzl25FfO_lMd7dYm6VfprDP83bz_SoB3MWLEc059E4YCa554bba-qWHW5udHv\/s1600\/fortigate.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26],"class_list":["post-279872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279872"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=279872"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279872\/revisions"}],"predecessor-version":[{"id":279876,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279872\/revisions\/279876"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/279874"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=279872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=279872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=279872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}