HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

FortiBleed Campaign Harvests Credentials from 430,000 FortiGate Firewalls, Fuels Ransomware Attacks

A threat‑research team linked the FortiBleed operation to the theft of admin credentials from over 430 000 FortiGate firewalls, which were then used to launch at least 12 ransomware attacks. The incident highlights gaps in access‑control policies and the need for continuous SOC 2 audit evidence.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 securityaffairs.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

FortiBleed Campaign Harvests Credentials from 430,000 FortiGate Firewalls, Fuels Ransomware Attacks

What Happened — A threat‑research team (SOCRadar) linked the “FortiBleed” operation to two active ransomware groups, INC Ransom and Lynx. The attackers used a custom Go tool (FortigateSniffer) to passively sniff authentication traffic from FortiGate firewalls by abusing FortiOS’s built‑in packet‑diagnostic command, harvesting admin credentials from more than 430 000 devices in over 150 countries. The stolen credentials were then used to compromise domain controllers, leading to at least 12 confirmed ransomware deployments that encrypted hundreds of endpoints.

Why It Matters for Compliance & Audit Readiness

  • Credential‑theft at the firewall layer bypasses network perimeter defenses and directly violates SOC 2 CC6.1 (Logical Access Control) and CC6.2 (User Access Management).
  • Continuous evidence of privileged‑access monitoring and timely revocation of stale admin accounts is essential to demonstrate due diligence during a SOC 2 audit.
  • The scale of the breach underscores the need for documented security‑awareness training that covers misuse of vendor‑provided diagnostic functions.

Who Is Affected — Organizations of any size that deploy FortiGate firewalls, spanning technology, finance, healthcare, manufacturing, and government sectors.

Recommended Actions

  • Immediately rotate all FortiGate admin passwords and enforce MFA for firewall management interfaces.
  • Review and tighten firewall configuration: disable unnecessary diagnostic commands, restrict access to trusted IP ranges, and enable logging of all admin sessions.
  • Incorporate firewall‑admin credential management into your SOC 2 access‑control policies and capture evidence of periodic reviews for audit readiness.

Technical Notes — The attack leveraged FortiOS’s packet‑diagnostic feature across ~20 protocols, allowing passive capture of clear‑text authentication data without delivering malicious payloads. No public CVE has been assigned; the issue is a misuse of legitimate functionality. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →