Global Credential‑Spraying Campaign Compromises Fortinet VPNs, Exposes Millions of Credentials
What Happened — A coordinated group used a custom tool (“forticheck”) to scan ≈ 320 k FortiGate SSL‑VPN endpoints and spray them with 3,639 credential pairs, generating more than 1.1 billion login attempts. Successful logins let the actors drop network sniffers, harvest clear‑text credentials, crack hashes with a 45‑node NVIDIA RTX 4090 GPU cluster, and hijack VPN sessions to move laterally into Active Directory. At least four organisations (Japan, Taiwan, Vietnam, Iraq, Turkey) were fully compromised, including a Turkish defence contractor with alleged classified document exfiltration.
Why It Matters for Compliance & Audit Readiness
- The breach is a textbook failure of logical‑access controls that SOC 2 CC6.1 (Logical Access Controls) is meant to prevent and evidence.
- Continuous monitoring of VPN authentication logs, MFA enforcement, and credential‑spray detection provide the audit‑ready evidence required for a defensible SOC 2 audit.
- This scenario maps directly to Verisq’s SOC 2 Access Controls capability, which automates collection of login‑event telemetry and MFA compliance for continuous‑compliance reporting.
Who Is Affected — Enterprises that expose Fortinet FortiGate SSL‑VPNs, notably telecom operators, defence contractors, and multinational corporations in Asia, the Middle East and Europe.
Recommended Actions
- Enforce MFA on all VPN accounts and retire default/weak credentials.
- Deploy real‑time log aggregation and anomaly detection for failed‑login spikes.
- Conduct a credential‑spray risk assessment and map findings to SOC 2 CC6.1 controls.
- Validate network‑sniffer detection and endpoint monitoring are in place. Source: https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html
Technical Notes – Attackers used a multi‑threaded scanner (25 k–50 k threads) against FortiGate /remote/login and Sophos /userportal endpoints, then leveraged GPU‑accelerated hash cracking (RTX 4090) and OpenConnect session hijacking. No specific CVE was cited; the vulnerability was reliance on weak/default credentials. Source: https://securityaffairs.com/193931/hacking/fortibleed-exposes-global-credential-spraying-operation.html