CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist

Dark Reading Archived Jun 23, 2026 ✓ Full text saved

The threat actors engineered a Golang-based sniffer to target 430,000 FortiGate firewalls and identify 110 million credentials in the ongoing global campaign.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBERSECURITY OPERATIONS PERIMETER NEWS FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist The threat actors engineered a Golang-based sniffer to target 430,000 FortiGate firewalls and identify 110 million credentials in the ongoing global campaign. Elizabeth Montalbano,Contributing Writer June 23, 2026 5 Min Read SOURCE: JHVEPHOTO VIA GETTY IMAGES The threat actors behind the global "FortiBleed" credential harvesting campaign engineered a sniffer tool to compromise hundreds of thousands of FortiGate routers and turn them into passive stealers in a wave of attacks that's now known to be much broader than initially thought.  Researchers from SOCRadar have unpacked the attack chain behind the ongoing threat campaign, which they believe is targeting more than 430,000 FortiGate firewalls globally and has resulted in the breach of high-value targets such as a NATO-aligned defense contractor, according to a white paper published this week.  Based on the observed activity, the threat actor is most likely an initial access broker (IAB) motivated by financial gain, according to SOCRadar, whose researchers reversed engineered the attack chain to understand the origin and nature of the attack.  They found that FortiBleed has been ongoing since at least February and, given that tooling comments related to the campaign use the Cyrillic alphabet, the perpetrators are likely Russian. SOCRadar made a similar assumption when the campaign was revealed after security researcher Volodymyr "Bob" Diachenko flagged a single exposed directory to lead the researchers to its discovery and subsequent disclosure. Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign Sniffer Turns Firewalls Into Stealers The white paper reveals exactly how the attackers were able to engineer such widespread credential harvesting. SOCRadar discovered and analyzed a Golang tool dubbed FortigateSniffer, which "turns compromised firewalls into passive credential collectors across 24 authentication protocols," according to the white paper. "FortigateSniffer abuses the FortiOS built-in diagnostic command '-diagnose sniffer packet' to passively capture authentication traffic from compromised FortiGate firewalls," SOCRadar researchers wrote. "The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows." Further analysis suggests that parts of the workflow also may have been assisted by CyberStrike, an open source AI-powered autonomous penetration testing agent, according to the researchers. The expanded scope of FortiBleed prompted the Cybersecurity and Infrastructure Security Agency (CISA) to urge organizations across both the private and public sectors to take immediate steps to harden their Fortinet environments. FortiBleed Scope and Victimology So far, attackers have managed to create 659 credential-harvesting pipelines using the tool, and already have stolen more than 110 million credentials, including RADIUS, NTLM, and Kerberos material, SOCRadar found.  Related:Salesforce Data Thefts Continue via Klue App Compromise Based on scale alone, the harvested credentials also "should be treated as an active risk condition with as much potential for damage as the original vector," observes Gene Moody, field chief technology officer (CTO) with patch management firm Action1.  "These datasets are frequently aggregated, repackaged, and sold in underground markets, lowering the barrier for less sophisticated actors to launch new campaigns," he observes, making the theft achieved to date a dangerous proposition for defenders. Key targets of the campaign are small to medium-sized businesses (SMBs) with fewer than 200 employees, particularly in the US and India, according to SOCRadar. However, the campaign is global and has already affected organizations in nearly 200 countries. The campaign also spans multiple sectors, as revealed last week; however, the researchers now believe the key targeted sector is "IT services, likely selected to maximize downstream access," according to the whitepaper. Full Attack Chain Revealed SOCRadar identified a five-step attack chain employed by the threat actor, beginning with reconnaissance and target prioritization. This is done by scanning the Internet for exposed FortiGate firewalls and other edge services, enriching the data with organization and revenue information, and ranking targets based on potential value. Related:INC Ransomware Thrives by Mastering the Basics Once targets have been identified, attackers use credential-stuffing and brute-force attacks against FortiGate administrative interfaces and SSH services to obtain valid credentials and footholds on Internet-facing devices. Attackers deploy the FortigateSniffer post-compromise to abuse legitimate FortiOS diagnostic commands and passively capture authentication traffic across dozens of protocols. The tool extracts credentials, hashes, session cookies, and identity data without installing traditional malware. The next step uses the attacker's distributed GPU infrastructure to capture cracked hashes, while validated credentials are used for password spraying, Active Directory enumeration, Server Message Block (SMB) access, and lateral movement deeper into victim networks, according to SOCRadar. The attack culminates in the theft of sensitive files from network shares and the reuse of stolen Web-session cookies to gain authenticated access to internal applications. The threat actor can then use the resulting access and intelligence for follow-on ransomware and data extortion attacks or sell it for financial gain. Defending Against FortiBleed Given the ongoing nature of the campaign, SOCRadar continues to actively track it. The white paper includes a comprehensive list of indicators of compromise (IoCs) as well as a link to a tool that tests if an organization has been compromised by FortiBleed. SOCRadar said organizations that have been compromised or think they may be targets should take the immediate following actions: Rotate all credentials tied to Fortinet VPN and administrative interfaces; enforce multifactor authentication (MFA); remove FortiGate management interfaces from direct internet exposure; and review gateway and authentication logs for suspicious activity. Even if compromise is not confirmed, organizations still should rotate credentials across all access immediately, especially since the campaign remains active, to avoid compromise in the future, Action1's Moody advises. "Remember credential reuse is impersonation, therefore activity can be legitimate at a glance, but may also be an admin logging in at atypical times, from atypical locations, etc.," he says. "Many organizations may believe they avoided impact once the initial event passes. In reality, they avoided the initial blast and are later affected by the predictable aftershock." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗