Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at
Analysis Summary
# Incident Report: FortiBleed Credential Stuffing Campaign
## Executive Summary
A massive, automated credential-based campaign codenamed **FortiBleed** has compromised 86,644 Fortinet FortiGate appliances globally. Attributed to Russian-speaking threat actors, the attack leverages default credentials and legacy hashing vulnerabilities to gain initial access and harvest further network credentials. The campaign has impacted critical sectors including government, telecom, and education across multiple countries.
## Incident Details
- **Discovery Date:** June 18-19, 2026 (Public CISA warning/SOCRadar report)
- **Incident Date:** Ongoing as of June 2026
- **Affected Organization:** Global Fortinet FortiGate users (86,644+ devices)
- **Sector:** Telecom, Government, Education, and Global Enterprises
- **Geography:** Global (Primary hotspots: India, U.S., Mexico, Colombia, Thailand)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to June 2026 (Ongoing)
- **Vector:** Credential Stuffing and Brute-Force
- **Details:** Attackers mass-scanned the internet for Fortinet remote login endpoints. They utilized automated tools to spray endpoints with leaked password lists and factory default credentials.
### Lateral Movement
- **Details:** While primarily focusing on gateway compromise, once access is obtained, attackers monitor internal network traffic passing through the FortiGate devices to harvest additional legitimate credentials for further movement or deeper compromise.
### Data Exfiltration/Impact
- **Details:** Systematic harvesting of valid administrator and user credentials. These are verified and compiled into a confirmed "working login" database for potential sale or secondary exploitation.
### Detection & Response
- **Detection:** Identified through threat intelligence monitoring and analysis of internet-facing exposures by security firms like SOCRadar and Hudson Rock.
- **Response:** CISA issued a formal warning on June 18, 2026; UK NCSC provided advisory guidance; Fortinet released patches/firmware updates to improve password hashing mechanisms.
## Attack Methodology
- **Initial Access:** Automated brute-force, dictionary attacks, and credential stuffing targeting internet-facing login portals.
- **Persistence:** Maintaining access through confirmed valid credentials; exploitation of legacy configuration files where hashes were weakly stored.
- **Privilege Escalation:** Exploiting generic admin (35%) and built-in system accounts (28.3%) to gain full appliance control.
- **Defense Evasion:** Use of legitimate credentials to blend in with normal administrative traffic.
- **Credential Access:** Monitoring live network traffic through compromised firewalls to sniff new credentials; exploiting legacy SHA-256 configuration storage.
- **Discovery:** Global mass-scanning for remote login endpoints.
- **Lateral Movement:** Passive collection of credentials from traffic passing through the gateway.
- **Collection:** Automated verification of credentials and database compilation.
- **Exfiltration:** Transferring verified credential databases to actor-controlled infrastructure.
- **Impact:** Total loss of perimeter integrity and unauthorized access to thousands of corporate networks.
## Impact Assessment
- **Financial:** High (Costs associated with incident response, password resets, and potential secondary data breaches).
- **Data Breach:** Exposure of 86,644 sets of valid credentials, including organizational-specific admin logins.
- **Operational:** High potential for disruption if attackers utilize access to alter firewall rules or shut down VPN services.
- **Reputational:** Significant impact for organizations still using default credentials or outdated firmware.
## Indicators of Compromise
- **Network indicators:** Mass-scanning activity from unidentified IPs; high-frequency login attempts on FortiGate management interfaces.
- **File indicators:** Legacy configuration files containing SHA-256 hashes (susceptible to cracking).
- **Behavioral indicators:** Unauthorized logins from unusual geographic locations; administrative logins at odd hours using default account names (e.g., "admin").
## Response Actions
- **Containment:** Blocking known malicious scanning IPs at the network perimeter.
- **Eradication:** Mandating global password resets for all administrative and VPN accounts.
- **Recovery:** Upgrading FortiOS to versions 7.2.11, 7.4.8, or 7.6.1+ to implement PBKDF2-based password hashing.
## Lessons Learned
- **Credential Hygiene:** Failure to rename default "admin" accounts and rotate factory credentials was the primary driver of this campaign's success.
- **Legacy Risk:** Upgrading software alone is sometimes insufficient; legacy data (like old password hashes in config files) must be actively managed/refreshed.
- **Visibility:** Internet-facing management interfaces remain the most significant surface area for automated attacks.
## Recommendations
- **Rename Default Accounts:** Immediately change default "admin" usernames.
- **Enforce MFA:** Implement Multi-Factor Authentication (MFA) for all administrative and VPN access.
- **Firmware Updates:** Ensure all FortiGate devices are running versions that support PBKDF2 hashing.
- **Access Control:** Restrict access to management interfaces (HTTPS/SSH) to specific trusted IP ranges rather than the open internet.