HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

FortiBleed Campaign Harvests Credentials from FortiGate Firewalls via Custom Sniffer

SOCRadar reports that a large‑scale FortiBleed operation has compromised over 430,000 FortiGate firewalls, using a custom sniffer tool to steal authentication secrets. The incident underscores the need for SOC 2‑aligned privileged‑access monitoring and evidence collection.

LiveThreat™ Intelligence · 📅 June 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

FortiBleed Campaign Harvests Credentials from FortiGate Firewalls via Custom Sniffer

What Happened — Security firm SOCRadar disclosed that a large‑scale “FortiBleed” operation has compromised over 430,000 FortiGate firewalls worldwide. Attackers first gain administrative access through credential‑stuffing and brute‑force attacks, then deploy a custom Golang tool called FortigateSniffer that abuses FortiOS’s built‑in diagnose sniffer packet command to capture authentication traffic (RADIUS, NTLM, Kerberos, LDAP, etc.) and exfiltrate credentials.

Why It Matters for Compliance & Audit Readiness

  • The incident highlights a breakdown in privileged‑access controls and monitoring—exactly the controls SOC 2 CC6.1 (Logical Access) is designed to enforce.
  • Continuous, tamper‑evident logging of privileged commands on network devices provides the audit evidence needed to demonstrate due diligence.
  • Our SOC 2 Access‑Controls capability automates collection and correlation of firewall admin‑command logs, giving you a defensible, real‑time audit trail.

Who Is Affected — Organizations that rely on Fortinet FortiGate firewalls across any industry (finance, healthcare, cloud services, manufacturing, etc.).

Recommended Actions

  • Review and tighten SOC 2 logical‑access policies for firewall administration (least‑privilege, MFA, role‑based access).
  • Enable immutable logging of all diagnose sniffer packet executions and integrate those logs with a SIEM or continuous‑compliance platform for real‑time alerts.
  • Rotate VPN and remote‑access credentials regularly and enforce strong password / passphrase policies.

Source: BleepingComputer

Technical Notes — The “FortigateSniffer” tool leverages a legitimate diagnostic feature in FortiOS to sniff traffic across 24 protocols, extracting clear‑text credentials and password hashes. No new vulnerability (CVE) is reported; the abuse stems from permissive default configuration of the diagnostic command. Source: same link

📰 Original Source
https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →