Full Report
A dataset containing valid administrative and VPN credentials for tens of thousands of Fortinet FortiGate firewalls.
Analysis Summary
# Incident Report: FortiBleed Campaign Credential Exposure
## Executive Summary
The "FortiBleed" campaign resulted in the exposure of a dataset containing valid administrative and SSL VPN credentials for 73,932 Fortinet FortiGate firewalls across 194 countries. Attributed to a Russian-speaking threat group, the incident involves high-scale credential harvesting and offline cracking, leading to confirmed intrusions into government, critical infrastructure, and defense sectors. Total remediation requires immediate credential rotation and the implementation of multi-factor authentication (MFA).
## Incident Details
- **Discovery Date:** June 13, 2026
- **Incident Date:** Active campaign identified/disclosed June 2026
- **Affected Organization:** 21,600+ domains (including a Turkish NATO defense contractor)
- **Sector:** Government, Telecommunications, Financial Services, Healthcare, Manufacturing, and Critical Infrastructure
- **Geography:** Global (194 countries; specifically noted: Japan, Taiwan, Vietnam, Iraq, and Türkiye)
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding June 2026 (Ongoing)
- **Vector:** Credential Stuffing / Exported Configuration Parsing
- **Details:** Attackers conducted 1.16 billion credential attempts against FortiGate targets and 2.1 billion attempts against MSSQL systems. Access was also gained by extracting authentication hashes from exported FortiGate configuration files.
### Lateral Movement
- **Details:** Upon gaining entry via recovered VPN/Admin credentials, attackers used Python-based scripts (`ad_enum.py`, `ad_full_audit.py`) to enumerate Active Directory (AD) and LDAP environments.
### Data Exfiltration/Impact
- **Details:** Documented exfiltration of classified documents from a NATO defense contractor. Infrastructure analysis revealed scripts for SMB/DFS collection and staged exfiltration (`backup_dfs.py`, `spider.py`).
### Detection & Response
- **Discovery:** Reported by researcher Volodymyr "Bob" Diachenko on June 13, 2026.
- **Response Actions:** Validation of credentials by Hudson Rock and Kevin Beaumont; release of a public lookup tool for affected domains; issuance of global advisories for credential rotation.
## Attack Methodology
- **Initial Access:** Credential stuffing and offline cracking of SSL VPN hashes.
- **Persistence:** Maintaining access via valid administrative credentials and remote access protocols (VNC, RDP).
- **Privilege Escalation:** Active Directory enumeration and LDAP auditing.
- **Defense Evasion:** Use of log-clearing markers and offline cracking (which leaves no logs on the target device).
- **Credential Access:** 45-GPU cluster managed via Hashtopolis; intercepting SSL VPN hashes; password spraying.
- **Discovery:** Bulk scanning of 320,777 FortiGate targets and 163,650 MSSQL systems.
- **Lateral Movement:** SSH, VNC, RDP, and SMB/DFS exploitation.
- **Collection:** SMB and DFS "spidering" to identify and stage files.
- **Exfiltration:** Automated scripts for staged data theft.
- **Impact:** Unauthorized access to critical edge security infrastructure and theft of classified data.
## Impact Assessment
- **Financial:** High (potential for ransomware or corporate espionage; costs of global credential resets).
- **Data Breach:** Exposure of 73,932 valid administrative/VPN credentials; theft of classified defense documents.
- **Operational:** Massive business disruption requiring the auditing of tens of thousands of firewalls.
- **Reputational:** Critical; impact on multinational corporations and government trusts.
## Indicators of Compromise
- **Network indicators:**
- 85[.]11[.]187[.]8 (Source IP)
- 85[.]11[.]187[.]0/24 (Associated range)
- Activity on Port 9999 (HTTP), SSH, VNC, RDP.
- **File indicators:**
- `fg_capture.log`, `hashpanel.log`, `setup_hashtopolis.sh`, `ad_enum.py`, `backup_dfs.py`, `spray_results.txt`.
- **Behavioral indicators:**
- Large-scale automated login attempts; unauthorized configuration file exports; unusual administrative logins from AS211486.
## Response Actions
- **Containment:** Restrict internet exposure of FortiGate management interfaces.
- **Eradication:** Immediate rotation of all administrative and SSL VPN passwords.
- **Recovery:** Implementation of Multi-Factor Authentication (MFA) across all endpoints.
## Lessons Learned
- **Key Takeaways:** Management interfaces exposed to the public internet remain a primary high-risk vector. Offline cracking of configuration files means an entity can be compromised without seeing "live" failed login spikes.
- **Improvements:** Organizations must prohibit the storage of configurations in insecure locations and ensure that management ports are only accessible via trusted internal jump boxes or VPNs with MFA.
## Recommendations
- **MFA:** Enforce Multi-Factor Authentication for all VPN and Administrative access—no exceptions.
- **Attack Surface Management:** Disable "Administrative Access" on WAN-facing interfaces.
- **Patch Management:** Ensure FortiOS is updated to versions that harden configuration file encryption.
- **Monitoring:** Set alerts for any modifications to firewall configuration files or unauthorized administrative account creation.