FortiBleed Campaign Harvests 110 Million Credentials from 430 K FortiGate Firewalls
What Happened – A threat‑actor group released a Golang‑based packet sniffer that scans vulnerable FortiGate firewalls. The tool has been observed probing roughly 430 K devices and has extracted more than 110 million usernames and passwords, turning the firewalls themselves into credential‑stealing platforms.
Why It Matters for Compliance & Audit Readiness
- The incident is a textbook example of a failure in logical‑access controls (SOC 2 CC6.1) – a breach that could have been detected early with continuous credential‑use monitoring.
- Demonstrates the need for auditable evidence of privileged‑access rotation, MFA enforcement, and firewall‑log integrity as part of a SOC 2‑ready continuous‑compliance program.
- Highlights the importance of maintaining an up‑to‑date vulnerability‑management process that feeds directly into audit evidence for “risk mitigation” criteria.
Who Is Affected – Enterprises across finance, healthcare, retail, and cloud‑service providers that rely on FortiGate firewalls for perimeter security.
Recommended Actions
- Verify that all FortiGate devices are patched to the latest FortiOS release that addresses the FortiBleed vulnerability.
- Conduct an immediate credential‑rotation cycle for any accounts used on firewalls and enforce MFA for privileged access.
- Enable detailed firewall logging and integrate logs into a SIEM for continuous monitoring and evidence collection.
- Map the incident to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls, documenting remediation steps as audit evidence.
Technical Notes – The attackers leveraged a custom Golang sniffer that exploits a remote‑code‑execution flaw in FortiOS (CVE‑2024‑XXXXX). The tool passively captures clear‑text authentication traffic, yielding both local and remote credentials. Source: Dark Reading