FortiBleed: Global Credential-Spraying Operation Uncovered Across Multiple Platforms
- Jun 21
- 2 min read
Key Findings
Multi-operator crew conducted industrial-scale credential-spraying campaign against Fortinet FortiGate SSL VPN devices across 207 countries
Campaign generated 1.16 billion login combinations against 320,777 FortiGate endpoints and 2.1 billion attempts against 163,650 MSSQL servers
Operators used custom tools running up to 50,000 threads and a 45-way NVIDIA RTX 4090 GPU cluster for password cracking
At least four organizations fully compromised, including a Turkish defense contractor with NATO ties
88% of exposed organizations already appeared in stealer logs or breach databases, suggesting repeated attacker access
Background
The discovery came in June 2026 when researcher Volodymyr Diachenko of SecurityDiscovery.com found the attackers' own infrastructure exposed on the open internet. This wasn't a sophisticated targeted operation but rather a systematic factory-scale attack with multiple operators working in coordinated shifts. The campaign targeted 73,932 exposed FortiGate devices spanning 21,613 organizations, with the densest concentrations in India and Latin American telecoms.
The Attack Methodology
The crew scanned vulnerable endpoints across multiple platforms and then unleashed their custom tool called forticheck to spray 3,639 base credential pairs against every target. Once initial access was gained, they deployed network sniffers to harvest cleartext credentials from HTTP, FTP, SMTP, POP3, IMAP, LDAP, SNMP, and Telnet protocols. Captured Kerberos and NTLM hashes were sent to their dedicated cracking infrastructure for decryption.
Lateral Movement and Persistence
With credentials in hand, the operators replayed captured session cookies through OpenConnect to hijack active VPN sessions. This gave them direct access to Active Directory where they conducted standard post-compromise operations: dumping AD databases, exfiltrating file shares, harvesting Kerberos tickets, and stealing Group Policy templates. The attackers operated from Kali Linux virtual machines behind NAT to avoid direct contact with victim networks.
Operational Security and Coordination
Multiple operators simultaneously accessed the same machines and coordinated through shared terminal sessions. Critically, the attackers made the same mistakes they exploited in victims, leaving their hash-cracking server running with default credentials. The targeting wasn't random; organizations were ranked by revenue using open-source intelligence, with the highest tier reserved for companies valued above 113 billion dollars.
Affected Sectors and Geography
IT services, telecommunications, financial services, and government organizations represented the most exposed sectors. Affected regions included Japan, Taiwan, Vietnam, Iraq, and Turkey. The most severe incident involved a Turkish defense contractor with NATO connections whose classified defense documents were allegedly exfiltrated, though this claim remains unverified by independent sources.
Broader Implications
The research revealed a troubling pattern: 88% of randomly sampled exposed organizations already appeared in stealer logs or previous breach databases, and 38% had staff members with active infostealer infections. Approximately 590 exposed organizations were already named on ransomware leak sites. This indicates that an exposed FortiGate device is typically not an isolated security failure but rather evidence of attackers having compromised the target organization multiple times through various vectors.
Recommended Actions
Organizations should immediately remove management interfaces and SSL VPNs from public internet exposure. All administrator and local credentials require rotation, and FortiOS must be upgraded to the latest version. Active VPN sessions should be invalidated to prevent replayed cookie attacks. Employee credentials tied to exposed devices need resetting as well, given the high overlap with infostealer infections. Researchers released a FortiBleed Checker tool to help administrators identify compromised domains.
Sources
https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html
https://x.com/securityaffairs/status/2068252290067140718
https://www.linkedin.com/posts/pierluigipaganini_fortibleed-exposes-global-credential-spraying-activity-7474018009368489984-_8wZ
https://www.linkedin.com/posts/cybercureme_fortibleed-exposes-global-credential-spraying-activity-7474024097597964288-KgKF
https://www.reddit.com/r/InfoSecNews/comments/1uascfm/fortibleed_exposes_global_credentialspraying

Comments