Full Report
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke
Analysis Summary
# Incident Report: FortiBleed Credential Harvesting Campaign
## Executive Summary
A Russian-speaking initial access broker (IAB) has launched a massive global credential-harvesting operation, dubbed "FortiBleed," targeting over 430,000 FortiGate firewalls. Active since February 2026, the financially motivated campaign utilizes brute-force attacks and bespoke malware to compromise systems for the purpose of selling access to other threat actors.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** February 2026 – Ongoing
- **Affected Organization:** 430,000+ individual entities (Global)
- **Sector:** Cross-sector (Any organization utilizing FortiGate firewalls)
- **Geography:** Worldwide
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Credential Stuffing / Brute-Force
- **Details:** The threat actor utilizes massive pre-collected credential lists and initiates automated brute-force attacks against exposed FortiGate SSL VPN and administrative interfaces.
### Lateral Movement
- **Details:** Following successful authentication to the firewall, the actor maneuvers to identify further internal network pathways, though the primary focus remains on establishing persistent IAB "beachheads" to be sold to ransomware groups or other affiliates.
### Data Exfiltration/Impact
- **Details:** Successful harvesting of valid administrative and user credentials from over 430,000 devices. Bespoke tools are deployed to maintain a presence and facilitate the transfer of access logs to the actor's command-and-control (C2) infrastructure.
### Detection & Response
- **Discovery:** Security researchers identified a surge in automated scanning and unauthorized login attempts originating from infrastructure associated with known Russian-speaking IAB circles.
- **Response actions taken:** General advisory issued to Fortinet users to implement Multi-Factor Authentication (MFA) and restrict access to management interfaces.
## Attack Methodology
- **Initial Access:** Brute-force and credential stuffing against exposed services.
- **Persistence:** Deployment of bespoke malware/tooling designed for firewall environments.
- **Privilege Escalation:** Not specified; direct targeting of administrative credentials.
- **Defense Evasion:** Use of distributed infrastructure to circumvent IP-based rate limiting.
- **Credential Access:** Credential harvesting via large-scale automated probing.
- **Discovery:** Automated scanning for exposed FortiGate services.
- **Lateral Movement:** Exploration of internal segments via compromised VPN tunnels.
- **Collection:** Gathering of valid credential pairs and system metadata.
- **Exfiltration:** Automated upload of "verified" access lists to actor-controlled servers.
- **Impact:** Compromise of perimeter integrity; facilitating secondary high-impact attacks (e.g., Ransomware).
## Impact Assessment
- **Financial:** High potential loss; access sold on dark web forums typically ranges from hundreds to thousands of dollars per entry.
- **Data Breach:** Compromise of over 430,000 sets of organizational credentials.
- **Operational:** High risk of secondary business disruption if IABs sell access to ransomware operators.
- **Reputational:** Significant trust erosion for organizations failing to secure perimeter hardware.
## Indicators of Compromise
- **Network indicators:**
- Traffic to/from [hxxp]://fortibleed-c2[.]ru
- High-frequency login failures from varied IP ranges targeting port 443 or 10443.
- **File indicators:** Bespoke "FortiBleed" binary signatures (specific hashes pending detailed forensic release).
- **Behavioral indicators:** Unauthorized logins from unusual geographic locations; creation of new, unauthorized administrative accounts.
## Response Actions
- **Containment:** Disable SSL VPN if not required; implement geo-blocking for Russia-based IP ranges.
- **Eradication:** Forced password resets for all administrative and user accounts on affected firewalls.
- **Recovery:** Restoration of firewall configurations from known-good backups and auditing of account creation logs.
## Lessons Learned
- **Key takeaways:** Perimeter devices remain the primary target for IABs due to their role as "gatekeepers" to the internal network.
- **What could have been done better:** Earlier adoption of zero-trust architectures and MFA could have rendered the stolen credential lists useless.
## Recommendations
- **MFA Enforcement:** Mandatory Multi-Factor Authentication for all VPN and administrative access.
- **Management Hardening:** Restrict administrative access to specific "Internal Only" or trusted management IP addresses.
- **Patching:** Ensure all FortiOS devices are updated to the latest firmware to mitigate secondary vulnerability exploitation.
- **Monitoring:** Implement automated alerting for repeated failed login attempts.