CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices

Dark Reading Archived Jun 17, 2026 ✓ Full text saved

Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBERSECURITY OPERATIONS PERIMETER THREAT INTELLIGENCE NEWS Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices. Elizabeth Montalbano,Contributing Writer June 17, 2026 4 Min Read SOURCE: LUTSENKO OLEKSANDR VIA SHUTTERSTOCK A large-scale credential harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries.  Evidence of the credential harvesting was first spotted by security consultant Volodymyr Diachenko. Researchers from SOCRadar uncovered the campaign, which they dubbed "FortiBleed," when they found an exposed operational server belonging to attackers, which are suspected Russian-speaking threat actors. This gave them visibility into the group's tooling, victim database, automation infrastructure, and verified credential repository, according to a report published Tuesday. "The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries," according to the report. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock." Related:Fileless Phantom Stealer Targets Browser Credentials No Fortinet Flaws, Just Pure Credential Theft SOCRadar emphasized that they did not find any evidence of exploited Fortinet flaws in the operation and are considering it strictly as a credential-compromise campaign, one that should be taken seriously, according to the report.  "The most striking thing about the FortiBleed breach is what's missing from it," Waseem Ahmed, head of engineering at Secure.com, tells Dark Reading. "There's no zero-day, no exploit, no actual 'bleed.' Despite the name, this isn't a vulnerability but a pile of credentials leaked in earlier Fortinet breaches, fired back at organizations that never bothered to change them." Indeed, SOCRadar's analysis found that the firewalls and VPNs compromised often had security weaknesses in the targeted network infrastructure. Many were either generic administrator accounts, default or built-in Fortinet system accounts, or long-lived accounts with passwords that had never been rotated after previous breaches, the researchers said. Various Sectors Affected by FortiBleed The compromised devices so far comprise 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors, the researchers found. Among those, telecommunications accounted for over 5,600 compromised devices, while government organizations represented 591 across 111 domains.  Enterprise organizations generating more than $1 billion in annual revenue comprised more than 20% of affected devices, while India and the US reportedly accounted for nearly one-third of all identified credential comprises. Affected organizations were also found across Asia, Europe, the Americas, Africa, and the Middle East. Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery Given that the attack remains active and "Fortinet firewalls and VPN gateways are among the most widely deployed network security devices in the world," the ongoing threat is rated as "critical" and demands an immediate response from affected organizations, SOCRadar noted in the report. Indeed, these devices are often in the crosshairs of attackers, given their ubiquity and the entry into networks that they can provide. "If your organization uses a Fortinet firewall or VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately," said SOCRadar. A Self-Sustaining Compromise Model The operation is built around a self-sustaining, fully automated attack chain in which attackers scan the Internet for Fortinet devices and then employ credential reuse, credential stuffing, and password spraying against exposed Fortinet management and VPN interfaces. As part of this, attackers used previously leaked Fortinet credentials and continuously validated successful logins through this automated scanning infrastructure, SOCRadar said. Related:The Beginning of the End of Social Engineering Once a device is compromised, attackers "use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by," according to the report. The freshly collected passwords are then fed back into the scanner to compromise even more devices.  "The system feeds itself," the report stated. Though the operation seems highly professional, the attackers did make a significant mistake in leaving a server exposed that "revealed far more about them than they intended," including clues to their identities and motives, the vendor said. SOCRadar also said technical evidence points to Russian-speaking threat actors and noted that the victim selection was "heavily weighted toward organizations in NATO member countries." These attackers also appear to be motivated not only by financial gain but also potential cyber espionage, as credentials for what appears to be a defense industry VPN endpoint were among the recovered data, according to the post.  Immediate Mitigation Steps for FortiBleed The campaign demonstrates the scale at which attackers can successfully weaponize credential reuse and poor password hygiene, especially when they use automation as a core part of their attack strategy. The lesson here for defenders, then, is that perimeter security appliances, especially those from Fortinet, remain high-value targets, and must be secured with more care and attention. As mentioned, any organization using Fortinet firewalls or VPNs should take immediate action to secure these assets, including the immediate rotation of all administrative and VPN credentials. They also should enable multifactor authentication on all remote access and administrative accounts, according to SOCRadar. Additionally, security teams should review of all authentication and VPN logs for suspicious access; remove management interfaces from the public Internet where possible; upgrade devices to all current firmware versions; and conduct the appropriate incident response investigation if a compromise is found or suspected. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗