Full Report
Why are you even reading this?! Rotate your passwords!!
Analysis Summary
# Incident Report: Campaign "FortiBleed" – Mass Credential Compromise
## Executive Summary
A massive credential theft campaign, dubbed "FortiBleed," has compromised approximately 75,000 Fortinet firewall devices across 194 countries. Threat actors utilized high-scale brute-forcing and SSL VPN interception to harvest and crack administrative hashes, resulting in full network compromise for several high-profile multinational organizations. The incident has exposed billions of credential attempts and led to the theft of sensitive data, including classified defense documents.
## Incident Details
- **Discovery Date:** June 17, 2026
- **Incident Date:** Ongoing (Reported June 2026)
- **Affected Organizations:** Approximately 21,632 unique domains, including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, Accenture, and Oracle.
- **Sector:** Global Economy (Manufacturing, Tech, Defense, Telecommunications, Finance)
- **Geography:** Global (194 countries)
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding June 2026
- **Vector:** Brute-force attacks and SSL VPN authentication interception.
- **Details:** Attackers conducted 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers.
### Lateral Movement
- **Details:** After cracking administrative hashes, attackers pivoted from firewall management interfaces into internal Active Directory (AD) environments.
### Data Exfiltration/Impact
- **Details:** Full "pwnage" of at least four major organizations. In one instance, classified defense documents were stolen from a Turkish NATO contractor. Credential databases containing verified working logins for 75,000 devices were compiled.
### Detection & Response
- **Detection:** Security researchers (Hudson Rock, Volodymyr Diachenko, and Kevin Beaumont) identified the leaked data and verified its authenticity.
- **Response:** Public disclosure and advisory for immediate password rotation and MFA implementation. Fortinet issued a statement attributing the data to resharing of historical breaches and ongoing brute-force attempts.
## Attack Methodology
- **Initial Access:** High-volume brute-forcing and interception of SSL VPN authentication traffic.
- **Persistence:** Valid administrative credentials used to maintain access to firewall interfaces.
- **Privilege Escalation:** Cracking password hashes to gain administrative control.
- **Defense Evasion:** Use of legitimate credentials; targeting internet-facing firewalls that remained online despite being compromised.
- **Credential Access:** Utilization of a 45-GPU cluster managed via "Hashtopolis" to crack captured hashes.
- **Discovery:** Scanning via Shodan to identify 320,000+ potential FortiGate targets.
- **Lateral Movement:** Pivoting from compromised firewalls into internal Active Directory environments.
- **Collection:** Gathering of internal corporate data and classified documents.
- **Exfiltration:** Transfer of sensitive defense and corporate data.
- **Impact:** Complete network takeover and exposure of global enterprise credentials.
## Impact Assessment
- **Financial:** High resource cost for remediation across 21,000+ domains; potential for follow-on ransomware/extortion.
- **Data Breach:** Exposure of admin credentials for 75,000 devices; theft of classified NATO-related defense documents.
- **Operational:** Potential for total business disruption via AD environment compromise.
- **Reputational:** Significant brand damage to Fortinet and the thousands of compromised multinational corporations.
## Indicators of Compromise
- **Network Indicators:** Traffic to/from `Hashtopolis` management servers; high-frequency auth attempts from Russian-speaking IP ranges (unspecified).
- **File Indicators:** Not specified in the article, but includes "cracked hashes" and "stolen defense docs."
- **Behavioral Indicators:** Bulk SSL VPN authentication failures followed by successful administrative logins from unusual geographic locations.
## Response Actions
- **Containment:** Advised immediate rotation of all passwords associated with Fortinet VPN and admin interfaces.
- **Eradication:** Deployment of Multi-Factor Authentication (MFA) to invalidate stolen static credentials.
- **Recovery:** Auditing Active Directory environments for signs of illegal pivoting or persistent backdoors.
## Lessons Learned
- **Brute Force Viability:** Even on patched devices, weak administrative passwords remain a primary failure point.
- **MFA Necessity:** The lack of MFA on critical edge gateway devices (firewalls) allowed harvested credentials to be used effectively.
- **Infrastructure Exposure:** Approximately 50% of internet-facing Fortinet devices were susceptible to these discovery techniques.
## Recommendations
1. **Immediate Password Rotation:** All administrative and VPN accounts must have passwords changed immediately.
2. **Mandatory MFA:** Enforce Multi-Factor Authentication for all VPN and administrative access points.
3. **Internal Audit:** Perform a compromise assessment on Active Directory environments if a Fortinet device was found on the leak list.
4. **Rate Limiting:** Implement strict account lockout policies and rate-limiting on SSL VPN and management interfaces to thwart brute-force attempts.
5. **Geofencing:** Restrict administrative access to known corporate IP ranges.