Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A massive campaign involving Fortinet devices exposed on the Internet is attracting much attention from the international cybersecurity community.
The operation, dubbed FortiBleed, appears to have targeted around 320,000 FortiGate firewalls, allowing malicious actors to successfully validate around 75,000 credentials associated with administration interfaces and VPN SSL.
The investigation was initiated by cybersecurity researcher Volodymyr “Bob” Diachenko, which was later taken up and expanded by two threat intelligence companies, Hudson Rock and SOCRadar.
Hudson Rock has also published statistics showing that the largest number of affected devices is located in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.
According to information circulating online, the campaign exploits a mechanism that allows attackers to expand compromised access in a completely autonomous manner.
The modus operandi is simple but unsettling at the same time. Operators scan the network to identify exposed Fortinet devices on the Internet, and once detected, they test credentials using databases built from passwords recovered from previous security breaches and data collected through infostealers.
Each successful access is recorded in an archive and used for further offensive activities.
The worrying feature of the operation is its recursive nature. Once access to a specific firewall is obtained, the attackers transform it into a network observation point. They then intercept the traffic that passes through it to collect additional new credentials. These are then reinserted into the scanning and verification process, creating a continuous compromise cycle.
The numbers reported are enormous, with over 1.16 billion authentication attempts that would have been executed against more than 320,000 FortiGate devices.
2.1 billion brute-force attempts, on the other hand, would have targeted around 160,000 Microsoft SQL servers. In the most advanced intrusions, the attackers would have intercepted the authentication hashes of VPN SSL, which were then subjected to cracking using a dedicated cluster consisting of 45 GPUs. They then moved laterally within the compromised infrastructures and reached the Active Directory environments.
Among the organizations involved are large companies like Samsung and Oracle. Diachenko would have confirmed network compromises in Japan, Taiwan, Vietnam, Iraq, and Turkey, including the compromise of a Turkish defense contractor linked to NATO, where classified documents would have been stolen.
Experts recommend that users of Fortinet devices immediately reset all administrative and VPN credentials, activate multifactor authentication (MFA), limit access to management interfaces, segment internal networks, and carefully verify access logs to analyze any anomalous activity.
