Campaign Overview
Security researchers have uncovered a massive cyber espionage campaign dubbed FortiBleed, which has compromised over 73,932 unique Fortinet firewall URLs across 194 countries. The operation, first identified by researcher Volodymyr Diachenko and analyzed by Hudson Rock, represents an automated, industrial scale attack targeting FortiGate devices and SSL VPN gateways. Threat actors executed an estimated 1.16 billion credential based attempts against more than 320,000 FortiGate targets, while also launching 2.1 billion brute force attempts against over 160,000 MSSQL servers, resulting in 21,632 unique compromised domains. The campaign is attributed to a Russian speaking cybercriminal group that systematically scanned the internet for exposed Fortinet instances and tested them against historical credential leaks harvested by infostealer malware.
Technical Vectors and Impact
Once initial access is gained, attackers pivot directly into internal Active Directory environments, enabling persistent network access. A key technical vector involves active interception of SSL VPN authentication hashes, which are cracked offline using a dedicated 45 GPU cluster managed via Hashtopolis. The confirmed victims span multiple sectors globally, including organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey. Critically, a Turkish NATO defense contractor had classified defense documents exfiltrated. The compromised credential database includes major enterprises such as Foxconn, Samsung, Siemens, Lenovo, Oracle, PwC, Accenture, and Comcast, along with numerous government entities. The campaign demonstrates that password complexity offers little protection, as many complex 20 character passwords were already present in plaintext within previously harvested infostealer databases.
Source: Cyber Security News
