A massive credential-harvesting campaign targeting FortiGate firewalls has exposed thousands of organizations to potential network compromise, and a trove of attacker tools, scripts, and credentials left inadvertently exposed on a server has given researchers an unusually detailed look at how the operation worked.
Analysts from ZenoX and CloudSEK have pieced together the full attack chain from the FortiBleed leak, revealing a sophisticated, highly automated pipeline that in some cases achieved full domain-level control of victim networks.
The attackers’ modus operandi
The attackers scanned the internet for FortiGate firewalls and SSL VPN gateways with exposed management interfaces, and logged in with previously compromised credentials (from previous Fortinet leaks and infostealer logs) or by brute-forcing them.
They intercepted live authentication traffic passing through the compromised firewall to extract credentials from 24 different protocols, then rented GPU capacity on demand from Vast.ai and orchestrated the cracking of password hashes through a distributed hash-cracking framework, controlled via a Telegram bot. The same bot and GPU pool were used to crack Active Directory and Kerberos hashes for specific corporate targets.
They also added their own administrator accounts on thousands of devices, with names designed not to raise suspicion: forticloud-sync, forticloud-tech, support_fortinet, Technical_support, etc.
From inside the network, they pivoted using OpenFortiVPN client configurations and a toolkit built around the Impacket Python library, which allowed them to originate traffic through the compromised VPN tunnel as if they were a legitimate internal host
They used an automated script to perform full Active Directory audits and password spraying tools to test cracked credentials across SMB shares, as well as a file-spider script that walked network shares recursively, opening scripts and configuration files in search of embedded passwords.
Throughout the operation, the attackers used CyberStrike, a legitimate open-source penetration testing AI agent, to automate reconnaissance, interaction with FortiGate management panels, vulnerability scanning, and OSINT enrichment.
How to check whether you’ve been affected
The scale and sophistication of the operation is notable, but the immediate question for most organizations is simpler: are we in the dataset?
SOCRadar and Hudson Rock have made available two free FortiBleed Checkers, to allow organizations to query their domains against the FortiBleed dataset.
There’s also a list of IP addresses associated with devices with known credentials and configuration dumps, courtesy of security researcher Kevin Beaumont.
If your organization is on one of the lists, Beamont’s advice is to disconnect the devices from the internet and rebuild them from scratch (i.e., do a factory reset and reconfigure them from a clean baseline).
It that’s not an option, he advises:
- Removing ALL admin accounts and creating new ones, with multi-factor authentication enabled
- Updating the device to the latest available firmware
- Inspecting the devices for changes made by the attackers (e.g., changed firewall rules) and looking for indicators of compromise in the logs
- Rotating IPsec site-to-site VPN tunnel keys or certificates AT BOTH ENDS
Fortinet also advises checking for signs of lateral movement (new VPN users, unexpected password resets, or VPN from unexpected locations) and, if the device uses Active Directory or LDAP authentication, treating that account as compromised.
“Monitor your AD for its use for authentication elsewhere or the creation of additional accounts and monitor your network for lateral movement,” the company said.
What all Fortinet operators should do right now
Even organizations that don’t appear in the dataset should treat this as an opportunity to harden their FortiGate posture.
But, they should also:
- Take management interfaces off the public internet, and restrict access to them to trusted internal networks
- Enable phishing-resistant MFA on all VPN and device management logins
- Rotate all FortiGate admin and SSL VPN credentials, even if the organization does not appear in the dataset (as it may be incomplete)
- Remove or disable unnecessary accounts, including default or generic administrator accounts
- Update to the latest FortiOS version and force all administrators to re-authenticate afterward, so that credentials are stored more securely
- Audit Active Directory for unauthorized accounts, new service accounts, and privilege escalation events. (Beaumont’s investigation found direct evidence of access to internal Active Directory environments at a significant number of affected organizations, consistent with ransomware pre-positioning.)
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
