Full Report
According to the research, the threat actor operates an automated infrastructure that scans the internet for Fortinet devices and attempts authentication using a curated set of previously leaked or compromised credentials. Successful logins are recorded and continuously revali...
Analysis Summary
# Incident Report: FortiBleed Credential Compromise Campaign
## Executive Summary
An unknown threat actor deployed an automated infrastructure to scan the internet for Fortinet devices and conduct large-scale credential stuffing attacks using previously leaked data. The campaign successfully compromised numerous SSL VPN and management interfaces across multiple global sectors, creating a persistent database of validated credentials for potential follow-on exploitation. The primary impact was unauthorized access and the further harvesting of credentials to expand the attack surface.
## Incident Details
- **Discovery Date:** June 16, 2026 (Publication Date)
- **Incident Date:** Ongoing campaign identified in 2026
- **Affected Organization:** Multiple (Global)
- **Sector:** Government, Telecommunications, Healthcare, Education, Energy, and Commercial
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing
- **Vector:** Credential Stuffing / Public Exposure Abuse
- **Details:** Automated bots scanned for Fortinet FortiGate devices (SSL VPN and management interfaces) on standard and non-standard HTTPS ports. Attempted logins used a curated list of leaked or previously compromised credentials.
### Lateral Movement
- **Details:** Once access was gained, compromised devices were reportedly used as pivot points to collect additional internal credentials and validate them against other resources, expanding the victim pool.
### Data Exfiltration/Impact
- **Details:** The primary impact involved the exfiltration of "confirmed working credentials" into a centralized attacker-controlled database. This allows for persistent, long-term access to victim environments.
### Detection & Response
- **How it was discovered:** Security research and analysis of automated scanning patterns and unauthorized authentication logs.
- **Response actions taken:** Fortinet PSIRT issued an analysis; researchers publicized findings to alert organizations to rotate credentials and harden interfaces.
## Attack Methodology
- **Initial Access:** Valid Accounts (Credential Stuffing) via exposed HTTPS management interfaces and VPNs.
- **Persistence:** Continuous re-validation of compromised credentials to ensure the "database" remains current.
- **Privilege Escalation:** Use of administrative and organization-specific accounts found in leaked datasets.
- **Defense Evasion:** Use of automated infrastructure and potentially using compromised legitimate infrastructure to conduct scans.
- **Credential Access:** Credential Harvesting from compromised devices; Credential Stuffing.
- **Discovery:** Internet-wide scanning for specific Fortinet signatures and non-standard ports.
- **Lateral Movement:** Credential reuse across the victim’s infrastructure.
- **Collection:** Automated recording of successful login pairs.
- **Exfiltration:** Transfer of validated credential sets to attacker C2.
- **Impact:** Potential for full network breach, data theft, or ransomware deployment following credential validation.
## Impact Assessment
- **Financial:** Unknown; potential for high costs related to remediation and incident response for affected organizations.
- **Data Breach:** High volume of administrative and user credentials (SSL VPN logins).
- **Operational:** High risk of business disruption if attackers leverage validated credentials for secondary attacks (e.g., Ransomware).
- **Reputational:** Significant impact for organizations in sensitive sectors like Healthcare and Government.
## Indicators of Compromise
- **Network indicators - defanged:** High frequency of authentication attempts from varied IPs; scans targeting ports 443, 10443, and 8443.
- **Behavioral indicators:** Successful logins from unusual geographic locations or at anomalous times; failed login spikes followed by a single successful administrative login.
## Response Actions
- **Containment measures:** Disable internet-facing management interfaces where not strictly necessary.
- **Eradication steps:** Mass password resets for all administrative and VPN accounts.
- **Recovery actions:** Implement Multi-Factor Authentication (MFA) across all Fortinet access points.
## Lessons Learned
- **Key takeaways:** Password reuse remains a Tier-1 risk; automated credential stuffing is highly effective when targeting widely deployed edge appliances.
- **What could have been done better:** Organizations failed to implement MFA and left management interfaces exposed to the public internet without IP whitelisting.
## Recommendations
- **Enforce MFA:** Mandatory Multi-Factor Authentication for all SSL VPN and management access.
- **Minimize Exposure:** Disable administrative access on WAN interfaces or restrict it to specific trusted IP ranges (ACLs).
- **Credential Hygiene:** Implement strict policies against password reuse and ensure default credentials are changed immediately upon deployment.
- **Monitoring:** Set up alerts for multiple failed login attempts followed by a success on edge networking equipment.