CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials

Cybersecurity News Archived Jun 24, 2026 ✓ Full text saved

A large-scale, ongoing credential-harvesting campaign dubbed “FortiBleed” has silently compromised more than 430,000 FortiGate firewalls globally, siphoning over 110 million credentials directly from live network traffic since at least February 2026. The campaign came to light after security researcher Volodymyr “Bob” Diachenko discovered an exposed directory on 85.11.187[.]8:9999. FortiBleed is not a single intrusion; it […] The post FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials By Guru Baran June 24, 2026 A large-scale, ongoing credential-harvesting campaign dubbed “FortiBleed” has silently compromised more than 430,000 FortiGate firewalls globally, siphoning over 110 million credentials directly from live network traffic since at least February 2026. The campaign came to light after security researcher Volodymyr “Bob” Diachenko discovered an exposed directory on 85.11.187[.]8:9999. FortiBleed is not a single intrusion; it is a sustained, industrialized credential collection operation in which threat actors turned enterprise-grade FortiGate firewalls into covert listening posts. Every FortiGate firewall sits at the boundary of a network, where it sees all authentication traffic passing through it. The attackers exploited this privileged vantage point by abusing a native FortiOS built-in diagnostic command diagnose sniffer packet to intercept and extract usernames, passwords, and password hashes from live traffic in real time, without triggering perimeter alarms. The operation, tracked by SOCRadar’s Threat Research Unit, has been active since at least February 2026 and is attributed to a financially motivated initial access broker (IAB) with a likely Russian‑language origin, potentially selling access to ransomware or state‑aligned groups. New FortiGateSniffer Tool At the heart of the operation is a custom-built Golang tool called FortiGateSniffer, designed to monitor 24 network protocols simultaneously and parse authentication data from intercepted network flows. The tool is driven through FortiOS’s own diagnostic command interface, effectively weaponizing a legitimate administrative feature against the organizations it was meant to protect. Notably, parts of the attack workflow appear to be assisted by an AI-powered autonomous penetration testing agent, marking a significant escalation in adversarial automation. Approximately 66% of victims have fewer than 200 employees, and 89.5% report under $100M in annual revenue, confirming this is mass opportunistic exploitation targeting organizations large enough to run FortiGate infrastructure but rarely staffed to detect such a compromise. Victims span the United States, India, and other regions, with exposure ranging from sub-100-million-dollar companies to Fortune Global 500 enterprises. At the time of SOCRadar analysis, more than 80,553 FortiGate devices and 23,406 unique domains were implicated, with active sniffing still observed on over 19,000 firewalls. Attackers’ Infrastructure Diagram (source: SocRadar) The infrastructure also includes a distributed GPU password‑cracking cluster orchestrated with Hashtopolis and a custom Telegram bot, highlighting the industrial scale of the operation. Five‑Phase FortiBleed Attack Chain SOCRadar researchers identified that FortiBleed follows a methodical five-phase attack chain, blending mass automation with targeted exploitation. FortiBleed five-stage attack chain (source: SocRadar) Credential Sourcing & Recon: Attackers use leaked credentials, custom wordlists, and internet scanning tools to identify exposed FortiGate devices and profile targets. Initial Access: Automated tools pair discovered hosts with credentials to target FortiGate, Synology, and MSSQL services, validating access opportunities. Traffic Harvesting: After gaining SSH access, a custom FortiGate sniffer captures sensitive traffic and extracts credentials and authentication hashes. Credential Exploitation: Stolen hashes are cracked and used for Active Directory enumeration, privilege escalation, and credential reuse. Data Exfiltration: Attackers steal data from SMB/DFS shares and replay captured web cookies to hijack authenticated sessions and maintain persistent access. The campaign is global, with no single dominant region, though India (11.4%) and the United States (10.1%) lead by affected domains, followed by Taiwan, Mexico, Turkey, the UAE, and Malaysia. South and Southeast Asia collectively account for approximately 27% of affected domains. Top 15 countries by affected domains (source: Socradar) Defenders are urged to immediately rotate FortiGate‑related VPN and admin credentials, enforce multi‑factor authentication and remove management interfaces from direct internet exposure. Organizations should also search logs and telemetry for FortiBleed infrastructure indicators, FortigateSniffer artifacts, anomalous RADIUS/NTLM/Kerberos activity and suspicious SSH access to FortiGate devices, while hardening detection around gateway‑level network sniffing and large‑scale credential harvesting. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions FortiBleed – 70,000+ Fortinet Firewalls Compromised in Massive Exploitation Attack Splunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks CISA Warns of Oracle PeopleSoft 0-Day Vulnerability Exploited in Ransomware Attacks Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions Latest News Cyber Security How Attackers Exploit Privileged Access and How to Lock Them Out  Cisco Critical Cisco Unified CM and SME Flaw Enables Remote Attacker to Launch SSRF Attacks Cyber Security CISA Warns of Ubiquiti UniFi OS Vulnerability Actively Exploited in Attacks Cyber Security News Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign Cyber Security News In-Browser Data Inspection Lets Analysts Track Phishing Attack Flow Inside Browser Sessions
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗