FortiBleed Campaign Harvests 110 M Credentials from 430 k FortiGate Firewalls, Including NATO‑Aligned Contractor Breach
What Happened — A Russian‑linked threat group dubbed “FortiBleed” has compromised more than 430 000 FortiGate firewalls worldwide. Using a combination of SSH brute‑force, credential‑stuffing against SSL‑VPN portals, and a custom “FortigateSniffer” that abuses a legitimate diagnostic command, the actors have exfiltrated over 110 million usernames and passwords across 24 protocols. The operation has already resulted in a confirmed breach of a NATO‑aligned defense contractor and continues to sniff traffic from thousands of active devices.
Why It Matters for Compliance & Audit Readiness
- Demonstrates how weak privileged‑access controls and lack of MFA on network‑security appliances can lead to massive credential exposure – a direct violation of SOC 2 CC6.1 (Logical Access Controls).
- Highlights the need for continuous monitoring and immutable audit logs of privileged‑access activity to provide defensible evidence during a SOC 2 audit.
- Shows that a robust Security Awareness and Credential‑Management program is essential to mitigate credential‑stuffing and brute‑force attacks.
Who Is Affected – Critical infrastructure (defense contractors), financial services, healthcare, cloud‑service providers, and any organization that relies on FortiGate firewalls for perimeter security.
Recommended Actions –
- Enforce MFA and strong password policies for all privileged accounts on firewalls and VPN portals.
- Deploy continuous monitoring of diagnostic commands and privileged‑access logs; retain immutable evidence for audit review.
- Conduct regular credential‑rotation and privileged‑access reviews aligned with SOC 2 CC6.1.
- Integrate security‑awareness training that covers credential‑stuffing and brute‑force mitigation.
Source: Security Affairs – FortiBleed detailed breakdown
Technical Notes – The threat chain includes mass‑network scanning (Masscan), passive enrichment via Shodan, SSH brute‑force with custom wordlists, credential‑stuffing against SSL‑VPN, and the “FortigateSniffer” tool that leverages the diagnose sniffer packet command to capture authentication traffic (Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, etc.) without installing malware.