top of page

FortiBleed: Global Credential-Spraying Operation Uncovered Across Multiple Platforms

  • Jun 21
  • 2 min read

Key Findings


  • Multi-operator crew conducted industrial-scale credential-spraying campaign against Fortinet FortiGate SSL VPN devices across 207 countries

  • Campaign generated 1.16 billion login combinations against 320,777 FortiGate endpoints and 2.1 billion attempts against 163,650 MSSQL servers

  • Operators used custom tools running up to 50,000 threads and a 45-way NVIDIA RTX 4090 GPU cluster for password cracking

  • At least four organizations fully compromised, including a Turkish defense contractor with NATO ties

  • 88% of exposed organizations already appeared in stealer logs or breach databases, suggesting repeated attacker access


Background


The discovery came in June 2026 when researcher Volodymyr Diachenko of SecurityDiscovery.com found the attackers' own infrastructure exposed on the open internet. This wasn't a sophisticated targeted operation but rather a systematic factory-scale attack with multiple operators working in coordinated shifts. The campaign targeted 73,932 exposed FortiGate devices spanning 21,613 organizations, with the densest concentrations in India and Latin American telecoms.


The Attack Methodology


The crew scanned vulnerable endpoints across multiple platforms and then unleashed their custom tool called forticheck to spray 3,639 base credential pairs against every target. Once initial access was gained, they deployed network sniffers to harvest cleartext credentials from HTTP, FTP, SMTP, POP3, IMAP, LDAP, SNMP, and Telnet protocols. Captured Kerberos and NTLM hashes were sent to their dedicated cracking infrastructure for decryption.


Lateral Movement and Persistence


With credentials in hand, the operators replayed captured session cookies through OpenConnect to hijack active VPN sessions. This gave them direct access to Active Directory where they conducted standard post-compromise operations: dumping AD databases, exfiltrating file shares, harvesting Kerberos tickets, and stealing Group Policy templates. The attackers operated from Kali Linux virtual machines behind NAT to avoid direct contact with victim networks.


Operational Security and Coordination


Multiple operators simultaneously accessed the same machines and coordinated through shared terminal sessions. Critically, the attackers made the same mistakes they exploited in victims, leaving their hash-cracking server running with default credentials. The targeting wasn't random; organizations were ranked by revenue using open-source intelligence, with the highest tier reserved for companies valued above 113 billion dollars.


Affected Sectors and Geography


IT services, telecommunications, financial services, and government organizations represented the most exposed sectors. Affected regions included Japan, Taiwan, Vietnam, Iraq, and Turkey. The most severe incident involved a Turkish defense contractor with NATO connections whose classified defense documents were allegedly exfiltrated, though this claim remains unverified by independent sources.


Broader Implications


The research revealed a troubling pattern: 88% of randomly sampled exposed organizations already appeared in stealer logs or previous breach databases, and 38% had staff members with active infostealer infections. Approximately 590 exposed organizations were already named on ransomware leak sites. This indicates that an exposed FortiGate device is typically not an isolated security failure but rather evidence of attackers having compromised the target organization multiple times through various vectors.


Recommended Actions


Organizations should immediately remove management interfaces and SSL VPNs from public internet exposure. All administrator and local credentials require rotation, and FortiOS must be upgraded to the latest version. Active VPN sessions should be invalidated to prevent replayed cookie attacks. Employee credentials tied to exposed devices need resetting as well, given the high overlap with infostealer infections. Researchers released a FortiBleed Checker tool to help administrators identify compromised domains.


Sources


  • https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html

  • https://x.com/securityaffairs/status/2068252290067140718

  • https://www.linkedin.com/posts/pierluigipaganini_fortibleed-exposes-global-credential-spraying-activity-7474018009368489984-_8wZ

  • https://www.linkedin.com/posts/cybercureme_fortibleed-exposes-global-credential-spraying-activity-7474024097597964288-KgKF

  • https://www.reddit.com/r/InfoSecNews/comments/1uascfm/fortibleed_exposes_global_credentialspraying

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page