HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

FortiBleed Campaign Harvests 110 M Credentials from 430 k FortiGate Firewalls, Including NATO‑Aligned Contractor Breach

A Russian‑linked group has exfiltrated over 110 million usernames and passwords by abusing FortiGate firewalls. The breach of a NATO‑aligned defense contractor underscores why SOC 2 access‑control and continuous‑monitoring controls are essential for audit readiness.

LiveThreat™ Intelligence · 📅 June 22, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

FortiBleed Campaign Harvests 110 M Credentials from 430 k FortiGate Firewalls, Including NATO‑Aligned Contractor Breach

What Happened — A Russian‑linked threat group dubbed “FortiBleed” has compromised more than 430 000 FortiGate firewalls worldwide. Using a combination of SSH brute‑force, credential‑stuffing against SSL‑VPN portals, and a custom “FortigateSniffer” that abuses a legitimate diagnostic command, the actors have exfiltrated over 110 million usernames and passwords across 24 protocols. The operation has already resulted in a confirmed breach of a NATO‑aligned defense contractor and continues to sniff traffic from thousands of active devices.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates how weak privileged‑access controls and lack of MFA on network‑security appliances can lead to massive credential exposure – a direct violation of SOC 2 CC6.1 (Logical Access Controls).
  • Highlights the need for continuous monitoring and immutable audit logs of privileged‑access activity to provide defensible evidence during a SOC 2 audit.
  • Shows that a robust Security Awareness and Credential‑Management program is essential to mitigate credential‑stuffing and brute‑force attacks.

Who Is Affected – Critical infrastructure (defense contractors), financial services, healthcare, cloud‑service providers, and any organization that relies on FortiGate firewalls for perimeter security.

Recommended Actions

  • Enforce MFA and strong password policies for all privileged accounts on firewalls and VPN portals.
  • Deploy continuous monitoring of diagnostic commands and privileged‑access logs; retain immutable evidence for audit review.
  • Conduct regular credential‑rotation and privileged‑access reviews aligned with SOC 2 CC6.1.
  • Integrate security‑awareness training that covers credential‑stuffing and brute‑force mitigation.

Source: Security Affairs – FortiBleed detailed breakdown

Technical Notes – The threat chain includes mass‑network scanning (Masscan), passive enrichment via Shodan, SSH brute‑force with custom wordlists, credential‑stuffing against SSL‑VPN, and the “FortigateSniffer” tool that leverages the diagnose sniffer packet command to capture authentication traffic (Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, etc.) without installing malware.

📰 Original Source
https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →