HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Global Credential‑Spraying Campaign Compromises Fortinet VPNs, Exposes Millions of Credentials

A coordinated group used a high‑speed scanner to spray billions of login attempts at FortiGate SSL‑VPNs, successfully harvesting credentials and hijacking sessions. At least four organisations were fully compromised, highlighting gaps in access‑control and MFA that SOC 2 audits must evidence.

LiveThreat™ Intelligence · 📅 June 20, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Global Credential‑Spraying Campaign Compromises Fortinet VPNs, Exposes Millions of Credentials

What Happened — A coordinated group used a custom tool (“forticheck”) to scan ≈ 320 k FortiGate SSL‑VPN endpoints and spray them with 3,639 credential pairs, generating more than 1.1 billion login attempts. Successful logins let the actors drop network sniffers, harvest clear‑text credentials, crack hashes with a 45‑node NVIDIA RTX 4090 GPU cluster, and hijack VPN sessions to move laterally into Active Directory. At least four organisations (Japan, Taiwan, Vietnam, Iraq, Turkey) were fully compromised, including a Turkish defence contractor with alleged classified document exfiltration.

Why It Matters for Compliance & Audit Readiness

  • The breach is a textbook failure of logical‑access controls that SOC 2 CC6.1 (Logical Access Controls) is meant to prevent and evidence.
  • Continuous monitoring of VPN authentication logs, MFA enforcement, and credential‑spray detection provide the audit‑ready evidence required for a defensible SOC 2 audit.
  • This scenario maps directly to Verisq’s SOC 2 Access Controls capability, which automates collection of login‑event telemetry and MFA compliance for continuous‑compliance reporting.

Who Is Affected — Enterprises that expose Fortinet FortiGate SSL‑VPNs, notably telecom operators, defence contractors, and multinational corporations in Asia, the Middle East and Europe.

Recommended Actions

  • Enforce MFA on all VPN accounts and retire default/weak credentials.
  • Deploy real‑time log aggregation and anomaly detection for failed‑login spikes.
  • Conduct a credential‑spray risk assessment and map findings to SOC 2 CC6.1 controls.
  • Validate network‑sniffer detection and endpoint monitoring are in place. Source: https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html

Technical Notes – Attackers used a multi‑threaded scanner (25 k–50 k threads) against FortiGate /remote/login and Sophos /userportal endpoints, then leveraged GPU‑accelerated hash cracking (RTX 4090) and OpenConnect session hijacking. No specific CVE was cited; the vulnerability was reliance on weak/default credentials. Source: https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html

📰 Original Source
https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →