FortiBleed Data Leak Exposes 74,000 Fortinet Firewall Credentials in Active Enterprise Network Attacks
TL;DR
FortiBleed: How 74,000 Fortinet Firewalls Became an Open Door for Hackers
The security world is reeling from "FortiBleed," a massive credential harvesting campaign that has effectively turned the keys to the kingdom over to cybercriminals. We aren’t talking about a minor glitch; we’re looking at 73,932 Fortinet FortiGate firewall systems across 194 countries that have had their administrative and VPN credentials laid bare. From government agencies to the heavy hitters in the multinational corporate space, the fallout is staggering. Sensitive configuration data and authentication tokens are currently being traded like baseball cards on criminal forums.
The muscle behind this operation? A Russian-speaking threat group that didn't just stumble upon these credentials—they built a high-powered, 45-GPU offline cracking rig specifically to chew through intercepted SSL VPN authentication hashes. Security researchers at Bitsight have confirmed that this isn't just theory. Opportunistic hackers and sophisticated state-sponsored actors are already using this data to punch their way into internal Active Directory environments.
The Technical "Original Sin"
At the heart of the FortiBleed mess is how older versions of FortiOS handled password hashing. It turns out that even after firmware updates were applied, administrator passwords often lingered in the system as weak SHA-256 hashes. These weren't automatically upgraded to the much tougher PBKDF2 standard until a user physically logged in. That tiny gap—that window of "waiting for a login"—gave attackers all the time they needed to scoop up the hashes and crack them at their leisure.
The scale is frankly nauseating. These actors launched over 1.16 billion credential attempts against FortiGate targets, with another 2.1 billion aimed at MSSQL systems. With that 45-GPU cluster humming in the background, they successfully validated credentials for 73,932 unique firewall URLs across more than 21,600 distinct domains. The data is real, and it’s dangerous. Researchers like Hudson Rock have been tracking the spread, and the consensus is clear: the exposure is widespread and systemic.
Who’s in the Crosshairs?
Roughly half of all internet-reachable FortiGate units globally are caught up in this. The list of victims reads like a Fortune 500 roll call—Samsung, Siemens, and Oracle are all in the mix, along with various government bodies. In one particularly chilling incident, attackers used these stolen credentials to slip into the network of a NATO defense contractor, walking away with sensitive classified documents.
Once they’re in, they don’t just sit there. They’re deploying a standard toolkit designed to maintain persistence and map out the internal network. If you’re a sysadmin, these are the names you need to hunt for:
- Chisel: A fast TCP/UDP tunnel over HTTP that makes bypassing firewall restrictions look like child's play.
- Neo-reGeorg: A nasty web shell used for pivoting and deep-dive reconnaissance.
- EternalBlue: The classic choice for moving laterally and escalating privileges once they’ve found a foothold.
| Metric | Detail |
|---|---|
| Affected Devices | 73,932 unique FortiGate URLs |
| Global Reach | 194 countries |
| Primary Vulnerability | Weak SHA-256 password hashing |
| Attack Infrastructure | 45-GPU cluster |
| Observed Activity | Active exfiltration of internal AD data |
Cleaning Up the Mess
If you’re running FortiGate, you need to verify your firmware status yesterday. The vulnerability hits devices running FortiOS versions prior to 7.2.11, 7.4.8, and 7.6.1. Don't just take our word for it; check cyber threat intelligence feeds to see if your infrastructure is already part of the leaked datasets circulating online.
The fix is straightforward but labor-intensive: update your firmware to the latest patched versions. These versions force the shift to stronger password hashing. Beyond that, you need to audit your admin accounts and VPN logs for anything that looks even remotely suspicious. As Recorded Future has pointed out, these actors aren't going away. You need to rotate every credential you have and enforce multi-factor authentication (MFA) on every single management interface exposed to the public internet.
The discovery of the server hosting this massive list of credentials is credited to researcher Volodymyr "Bob" Diachenko. His work underscores a brutal reality: relying on legacy hashing methods in enterprise-grade gear is a recipe for disaster. If your internet-facing FortiGate device hasn't been updated recently, you have to assume it’s already compromised.
The campaign is fluid. These groups shift tactics the moment they feel the heat. Your best defense is a relentless cycle of patching and a paranoid eye on your network traffic. Keep an eye out for Chisel or Neo-reGeorg, monitor your outbound traffic for anomalies, and watch for any signs of lateral movement. In the wake of a leak this size, "good enough" security isn't going to cut it.
