FortiBleed Campaign Uses FortigateSniffer to Harvest Credentials From Fortinet Firewalls

Severity
Medium

Detail

A large-scale credential harvesting campaign known as “FortiBleed” has been identified targeting Fortinet FortiGate firewalls, where threat actors are abusing exposed or weakly secured devices to capture authentication data at massive scale. Research from the SOCRadar Threat Research Unit (STRU) indicates that the operation has resulted in the compromise of over 110 million credentials, with attackers turning vulnerable firewall deployments into passive surveillance points across enterprise networks.

The campaign is attributed to a financially motivated Initial Access Broker with possible Russian origin indicators. The infrastructure used in the operation spans multiple regions, including Russian and Ukrainian networks, complicating attribution efforts.

How?

The attack begins with reconnaissance activity where threat actors use tools such as Masscan and Shodan to identify internet-facing FortiGate firewall devices. Once exposed targets are identified, attackers attempt to gain access through SSH brute-force attacks against administrative accounts.

After gaining access, the attackers deploy a custom tool called FortigateSniffer, developed in Golang, which abuses the legitimate FortiOS diagnostic command diagnose sniffer packet. This command is normally used for troubleshooting network traffic but is repurposed in this campaign to silently capture authentication traffic across multiple protocols.

FortigateSniffer is used to intercept credentials and authentication data from up to 24 different protocols, including NTLM, Kerberos, and RADIUS. The tool operates passively, allowing attackers to collect authentication information without triggering standard detection mechanisms.

The harvested credentials are then processed using distributed GPU-based cracking infrastructure powered by tools such as Hashtopolis and Hashcat, often leveraging rented compute resources. Once credentials and session data are recovered, attackers use them for persistent access and lateral movement within victim networks, enabling further exploitation and data exfiltration.

Attackers maintained a structured and automated workflow supported by offensive tooling environments, including Kali Linux virtual machines and automation frameworks such as CyberStrike. The use of FortiOS diagnostic functionality as a data collection mechanism highlights a shift toward abusing legitimate administrative tools for covert credential harvesting.

Impact

The FortiBleed campaign has resulted in the harvesting of over 110 million credentials and has impacted a wide range of organizations globally. STRU documented more than 659 harvesting cycles, indicating a highly automated and scalable operation. Victim analysis shows that small and medium-sized businesses, particularly in the IT services sector with fewer than 200 employees, are disproportionately affected due to weaker security configurations.

At least one confirmed breach involved a NATO-aligned defense contractor, where sensitive data was exfiltrated following credential compromise. The overall impact includes large-scale credential exposure, unauthorized access to internal networks, and potential long-term persistence within compromised environments.

Recommendation

Organizations are advised to audit FortiGate firewall configurations and ensure that administrative interfaces are not exposed to the internet. Strong authentication controls should be enforced for all administrative access, and unnecessary diagnostic features such as packet-sniffing commands should be disabled where possible.

Security teams should monitor for unusual or unauthorized use of diagnostic commands, particularly those related to packet capture functionality. It is also recommended to implement continuous monitoring of authentication traffic and review firewall logs for suspicious activity.

Additionally, organizations should apply strict access controls, enforce multi-factor authentication, and review Indicators of Compromise provided by researchers to support detection and incident response efforts.

Conclusion

The FortiBleed campaign demonstrates a highly scalable credential harvesting operation that abuses legitimate FortiGate firewall functionality to intercept authentication data across multiple protocols. With over 110 million credentials reportedly collected, this campaign highlights the growing trend of attackers leveraging trusted network security appliances for large-scale credential theft and long-term network compromise.

Indicator of Compromise (IOC)

Source

https://gbhackers.com/fortibleed-campaign-uses-fortigatesniffer-to-harvest-110-million-credentials/
https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/