A substantial cybersecurity campaign, dubbed "FortiBleed," has emerged, revealing the exposure of approximately 75,000 Fortinet firewalls worldwide. This security breach poses a significant risk to organizations across 194 countries, providing potential long-term access for attackers.
The issue was brought to light by security researcher Volodymyr Diachenko, who reported the existence of a list comprising working FortiGate passwords collected through various means. Following this, SOCRadar identified an operational server owned by an unknown threat actor containing stolen credentials, hacking tools, and victim information.
Attribution to the attackers remains under investigation, although SOCRadar noted that the operational methods align with those typically associated with Russian-speaking cybercriminals. Reports confirm that the attackers systematically extracted configuration files from internet-facing FortiGate firewalls to retrieve administrative credentials, although the initial vector of attack is still unidentified.
Benjamin Harris, CEO of watchTowr, emphasized the unsettling trend in modern exploitation, underscoring that such campaigns prioritize harvesting data that retains its value long after vulnerabilities have been patched.
The compromised credentials were acquired by exploiting various vulnerabilities affecting highly sensitive Fortinet applications. SOCRadar, along with analyses from other security experts, found that over 30,791 devices were initially reported as compromised; further investigations revealed that the actual number is close to 75,000—roughly half of all internet-facing Fortinet firewalls cataloged.
The breach affects devices across 194 countries, including the US, India, and Mexico, which account for nearly 12,000 compromised credentials. Notably, the dataset includes a range of administrative and SSL VPN credentials, and the operation is notable for its automation capabilities, allowing criminals to collect and crack credentials en masse.
Previous analyses have indicated that many vulnerable Fortinet devices relied on outdated password hashing methods, which are not as resistant to offline attacks when compared to more recent strategies. Fortinet has introduced PBKDF2-based password hashing in the latest versions of FortiOS but may still have a significant number of deployments using less secure hashing mechanisms.
In light of the breach, security researchers have advised organizations to assume that credentials found in exposed configuration files have been compromised. They recommend immediate rotation of administrative and VPN passwords and suggest implementing multi-factor authentication (MFA) as an essential security measure. Organizations are also advised to upgrade to supported versions of FortiOS and ensure all administrator accounts log in to activate updated security features.
For further reference, resources regarding these recommendations and responses can be found in various cybersecurity guidelines.
