FortiBleed Campaign Harvests Credentials from 430K FortiGate Firewalls, Feeding INC Ransom and Lynx Operations
What Happened — A coordinated threat‑actor operation dubbed “FortiBleed” compromised more than 430,000 FortiGate firewalls by exploiting Fortinet vulnerabilities that had been patched months earlier and by brute‑forcing weak admin passwords. The attackers used a custom tool, FortigateSniffer, to intercept authentication traffic and harvest configuration files, then logged into the ransom‑negotiation panels of the INC Ransom and Lynx ransomware‑as‑a‑service groups.
Why It Matters for Compliance & Audit Readiness
- Credential‑harvesting at this scale directly tests the effectiveness of SOC 2 Access Control (CC6) policies and the evidence‑collection processes required for audit readiness.
- Unpatched devices and weak passwords expose gaps in continuous monitoring and patch‑management controls—areas that must be documented and remediated to maintain a defensible audit trail.
Who Is Affected — Organizations across industrial, healthcare, education, manufacturing, business services, technology, and transportation sectors that rely on FortiGate firewalls for perimeter security.
Recommended Actions
- Verify that all FortiGate devices are running the latest firmware and that known CVEs are fully remediated.
- Enforce strong, unique admin passwords and MFA for firewall access; rotate credentials regularly.
- Integrate firewall log collection into a continuous monitoring platform to provide real‑time evidence of access‑control compliance (SOC 2 CC6).
- Update security awareness training to include phishing and credential‑theft scenarios tied to network devices.
Technical Notes — The operation leveraged FortiOS’s diagnose sniffer packet command, a custom Golang tool (FortigateSniffer), and an AI‑driven penetration testing agent (CyberStrike) to parse intercepted traffic. The underlying Fortinet flaws were disclosed and patched five months prior to the breach. Source: DataBreachToday