FortiBleed Is 'Tip of the Iceberg' of Edge Device Targeting
Data Breach TodayArchived Jun 23, 2026✓ Full text saved
Threat Actor Harvesting Other Credentials; Experts See Many More Scans for SSL-VPNs Discovery of the Fortinet credential-harvesting campaign tracked as "FortiBleed" appears to be the "tip of the iceberg" of edge device targeting, with honeypot telemetry revealing VPN and edge devices from Check Point, Cisco, Ivanti/Pulse, Palo Alto, OpenVPN and SonicWall also being top targets.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime , Network Firewalls, Network Access Control
FortiBleed Is 'Tip of the Iceberg' of Edge Device Targeting
Threat Actor Harvesting Other Credentials; Experts See Many More Scans for SSL-VPNs
Mathew J. Schwartz (euroinfosec) • June 23, 2026
Credit Eligible
Get Permission
Image: Shutterstock/ISMG
The Fortinet credential-harvesting feeding frenzy being tracked as "FortiBleed" is just one of many active, illicit efforts targeting edge devices built by a range of manufacturers, security experts warn.
See Also: Top 10 Technical Predictions for 2025
FortiBleed refers to ongoing activity selling harvested credentials for Fortinet devices. Fortinet and independent researchers have said attackers don't appear to be exploiting any unknown vulnerabilities, instead gathering credentials by targeting flaws patched five months ago or more, obtaining configuration files and cracking legacy admin passwords stored inside (see: No Zero-Day Tied to 80,000 Harvested Fortinet Credentials).
As of Sunday, a Russian-speaking group tied to the campaign, which appeared to start amassing Fortinet credentials in February, had a database of more than 86,644 confirmed working login credentials for corporate firewalls and VPN gateways across 23,406 domains in 194 countries, said cybersecurity SOCRadar, which coined the FortiBleed moniker.
A number of security firms have gained access to the threat actor's infrastructure, including an operational server. "That server held not only a database of validated credentials but also the group's tooling, automation scripts, connection strings, scheduled jobs and operator command histories," said cybersecurity firm CloudSEK.
SOCRadar said the infrastructure showed remote access attempts against 430,000 FortiGate firewalls globally. If successful, attackers often installed sniffing software allowing them to capture network traffic and unearth additional credentials.
Researchers haven't attributed the attacks to any specific group or individual but said the Russian-speaking threat actor behind FortiBleed works Moscow business hours and appears to be a financially motivated initial access broker with a preference for NATO member states - although the greatest number of its stolen Fortinet credentials lead to organizations based in India.
Although the group's primary target appears to be FortiGate firewalls and FortiOS SSL-VPN gateways, the threat actor isn't fixated on Fortinet. SOCRadar said the attackers are scanning for remote-access tools, including poorly secured remote desktop protocol services, server message block connections, Microsoft SQL Server services and Synology DiskStation Manager, which administers Synology network-attached storage devices. The group's target lists have been enumerating Sophos SSL-VPN portals and Remote Desktop Web Access, it said.
Security researchers at SpyCloud Labs, after gaining access to the attacker's infrastructure, found that "FortiGate was the largest single target set present on the brute-forcing server," although only accounted for one-third of the internet-facing endpoints so far targeted.
"The same methodology used to create the headline Fortinet credential list, scan for a product and then brute-force it, was also pointed at several other appliances," the researchers said, counting 336,583 attempts against Synology portals, 247,584 against Sophos firewalls and 163,650 targeting MSSQL servers.
"Fortinet may only represent the tip of the iceberg - a part that, due to someone's mistake, broke off and became visible to the public," said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk.
"The same techniques used by threat actors against Fortinet devices can be applied to other VPN and remote-access systems as well. Fortinet is only one example," he said.
Rajić said honeypot telemetry shows high levels of scans tied to ports for SSL-VPN, web VPN and IPsec services, suggesting that many attackers are device-agnostic when it comes to trying to obtain remote access to a victim's environment.
While those scans may have few - if any - ties to the FortiBleed campaign, "the pattern is relevant because it shows that VPN infrastructure remains an active target area, including platforms such as Fortinet, Cisco, Palo Alto, SonicWall, Ivanti/Pulse, Check Point and OpenVPN," he said (see: Edge Devices Face Surge in Mass Brute-Force Password Attacks).
In addition, a number of hacking forum discussions are focused on selling or offering access to these types of data sets. "I have not independently verified every claim, but the activity further supports the view that VPN access and related credential data remain of strong interest to threat actors," Rajić said.
An Attack of 'Advanced Persistent Teenagers'
Credit for spotting this campaign goes to veteran cybersecurity researcher Volodymyr "Bob" Diachenko, who flagged it on June 12 after reviewing threat intelligence data gathered by Hunt Intelligence.
One irony is that the attacker's infrastructure includes detailed operational security steps for everyone involved in the criminal enterprise, requiring they use split tunneling, encrypt target lists, avoid honeypots and delete the group's own packet traffic captures, said Brazilian threat intelligence firm Zenox.
"And yet, it left the entire working directory open on the internet, with the private SSH key (cyberstrike_key), the Telegram bot token and the Hashtopolis access keys exposed," Zenox said. The firm also found attackers installed on their operational server the open-source, agentic penetration tool CyberStrike, which offers attack automation and orchestration capabilities.
Zenox said the attack infrastructure didn't reveal exactly how attackers might be using the artificial intelligence-powered tool, and other researchers expressed skepticism it delivered any advantage. "It doesn't look like that bit worked very well," said British security expert Kevin Beaumont.
"The sloppy nature of the security around the attacker suggests less nation state and more Advanced Persistent Teenagers," Beaumont said.
Regardless, he said the group also appeared to have cracked about 170,000 Active Directory account passwords, after using the edge devices to gain initial access and then move laterally through victims' environments.
Rajić, a liaison member of the Forum of Incident Response and Security Teams, said the database of stolen credentials is already beginning to circulate on underground cybercrime sites. "As with any major data breach, it is likely only a matter of time before someone leaks the full dataset publicly," he said.
A subset of the amassed data appears to have been offered for sale beginning Saturday, in a darknet market post advertising 35,000 of the stolen Fortinet and FortiGate gateway credentials, said threat intelligence firm Kela.