‘FortiBleed’ Attack Breaches 80,000 Fortinet Devices

Key Points

• A Russian-linked hacking group breached more than 80,000 Fortinet firewalls and VPN gateways worldwide using previously stolen credentials against public devices.
• Researchers say the ongoing “FortiBleed” campaign relies on reused passwords, generic admin accounts and public-facing SSL VPN interfaces.
• IANS Faculty recommend rotating Fortinet and edge-device credentials, adopting ZTNA and modern edge security, and prioritizing Fortinet device patching immediately.

‘FortiBleed’ Attack Breaches 80,000 Fortinet Devices

A hacking group, believed to be of Russian origin by researchers, has breached more than 80,000 Fortinet firewalls and VPN gateways worldwide using stolen credentials.

The campaign, first uncovered by researcher Volodymyr Diachenko, is still considered ongoing by numerous cybersecurity firms. Fortinet customers are encouraged to change credentials and check for breach on all their devices, according to researchers who have since dubbed the attacks “FortiBleed.”

The attackers are conducting the breach campaign using verified, working usernames and passwords from prior breaches. Automation enables the group to try this credential database against any publicly facing Fortinet firewalls or devices until a login is successful. These successful logins are recorded then used to make the device into a new traffic collection site for further credential harvesting. Beyond these intrusions, no further actions by the group have been reported so far.

The list of targets breached in by the campaign spans numerous industries, including government institutions, critical infrastructure like hospitals and energy companies, and Fortune 500 corporations. Most attacks so far focused on organizations in India and the United States.

Many of the abused credentials are from generic admin accounts or factory standard settings for Fortinet devices.

"If your credentials were compromised, or if they might have been compromised, or if you think they might possibly have been compromised, [then] reset and change credentials on all your Fortinet devices.”  Todd Inskeep, IANS Faculty.

Big Picture

Nothing about these breaches appeared to require engineering expertise or know-how, but rather merely attempting every possible key available to the attackers on the public internet until a latch dropped.

"The breach is not coming through a clever exploit. It is coming through an SSL VPN that should not be on the public internet, protected by a password an attacker already had. Edge devices are the favorite target precisely because everyone runs them and they are slow to patch.”  George Gerchow, IANS Faculty.

Such breaches also show a lack of cyber hygiene, as many of these credentials had already been exposed through prior breaches and leaks. Many reported compromised Fortinet devices were using stock settings and passwords, resulting in these breaches creating repeat victims due to a “set it and forget it” mentality at the edge and a lack of strict identity checks.

“Edge plus stale credentials is now the most reliable way into a global enterprise, and attackers have automated it to billions of attempts," added Gerchow. "Until identity and exposure are treated as the perimeter, the next branded 'bleed' is just a matter of which box we forgot we exposed.”

IANS Faculty Recommendations

• Assume breach and triage: Assume your Fortinet and reused credentials are already in a dump. Force rotation on all edge and admin accounts, kill shared and local accounts, and check your domains against infostealer and leak feeds rather than waiting to be told.
• Prioritize Fortinet patching internally: Patch the edge on its own fast clock, not your server cadence. FortiClient EMS and FortiGate fixes belong in an emergency lane, and segmented behind the edge so one compromised appliance cannot sniff and pivot across a flat network.
• Remove exposure for edge devices: Treat every internet-facing admin and VPN interface as already targeted. Get management planes off the public internet, put SSL VPN and admin access behind phishing-resistant MFA, and move to ZTNA where you can so there is no open port to brute force.

Authors & Contributors

Tim McCarthy, Author, IANS News

George Gerchow, IANS Faculty

Todd Inskeep, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.