FortiBleed Campaign Harvests Credentials from FortiGate Firewalls via Custom Sniffer
What Happened — Security firm SOCRadar disclosed that a large‑scale “FortiBleed” operation has compromised over 430,000 FortiGate firewalls worldwide. Attackers first gain administrative access through credential‑stuffing and brute‑force attacks, then deploy a custom Golang tool called FortigateSniffer that abuses FortiOS’s built‑in diagnose sniffer packet command to capture authentication traffic (RADIUS, NTLM, Kerberos, LDAP, etc.) and exfiltrate credentials.
Why It Matters for Compliance & Audit Readiness
- The incident highlights a breakdown in privileged‑access controls and monitoring—exactly the controls SOC 2 CC6.1 (Logical Access) is designed to enforce.
- Continuous, tamper‑evident logging of privileged commands on network devices provides the audit evidence needed to demonstrate due diligence.
- Our SOC 2 Access‑Controls capability automates collection and correlation of firewall admin‑command logs, giving you a defensible, real‑time audit trail.
Who Is Affected — Organizations that rely on Fortinet FortiGate firewalls across any industry (finance, healthcare, cloud services, manufacturing, etc.).
Recommended Actions
- Review and tighten SOC 2 logical‑access policies for firewall administration (least‑privilege, MFA, role‑based access).
- Enable immutable logging of all
diagnose sniffer packetexecutions and integrate those logs with a SIEM or continuous‑compliance platform for real‑time alerts. - Rotate VPN and remote‑access credentials regularly and enforce strong password / passphrase policies.
Source: BleepingComputer
Technical Notes — The “FortigateSniffer” tool leverages a legitimate diagnostic feature in FortiOS to sniff traffic across 24 protocols, extracting clear‑text credentials and password hashes. No new vulnerability (CVE) is reported; the abuse stems from permissive default configuration of the diagnostic command. Source: same link