FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
A large-scale credential-harvesting campaign dubbed FortiBleed, attributed to a Russian-speaking initial access broker, has been targeting FortiGate firewalls since February 2026. The operation compromised over 430,000 devices globally using a Golang-based tool called FortigateSniffer, which abuses FortiOS's built-in diagnostic packet-sniffing capability to passively capture authentication traffic across 24 protocols. Over 110 million credentials were identified, including RADIUS credentials, NTLM hashes, Kerberos hashes, and MySQL tokens. Attackers then cracked and reused these credentials against Active Directory domains and other services. SMBs and IT service providers were primary targets. The campaign also extended to Synology NAS, Sophos firewalls, Citrix SSL-VPNs, and Microsoft SQL Server systems. CISOs are advised to rotate credentials, harden internet-facing access, enforce MFA, and hunt for signs of packet sniffing and lateral movement.
