Massive cyberattack wave targeting over 73,000 Fortinet firewalls
- Evelyn Carter
- 2 hours ago
- 3 min read
A global cyberattack campaign named "FortiBleed" has just been exposed, raising serious alarms across the information security landscape. By weaponizing massive caches of credentials leaked from previous infostealer campaigns, attackers successfully compromised tens of thousands of FortiGate devices and SSL VPN gateways worldwide.
What was the actual scale of the FortiBleed campaign?
This dangerous campaign was uncovered by security researcher Volodymyr “Bob” Diachenko in collaboration with cybersecurity firm Hudson Rock. According to data analysis, FortiBleed is a highly automated campaign operated methodically by a sophisticated cybercriminal group (highly likely Russian-speaking). Their operational tactics far exceed standard credential-stuffing attacks commonly seen in the wild.
The attackers deployed a large-scale scanning campaign to seek out internet-exposed Fortinet systems. Statistics reveal that more than 320,000 FortiGate devices became targets, enduring approximately 1.16 billion login attempts using leaked credentials. Concurrently, the group executed around 2.1 billion brute-force attempts against more than 160,000 MSSQL servers, successfully compromising 21,632 different domains. Ultimately, the campaign silently breached 73,932 Fortinet firewall URLs across 194 countries.
What tactics did the attackers use to control the systems?
The danger of FortiBleed lies not just in the volume of targets, but in how the group exploited data harvested from prior infostealer operations. Instead of attempting to crack passwords from scratch, they matched discovered Fortinet systems against pre-stolen credential databases. Armed with just a single valid account, the attackers quickly established an initial foothold and subsequently migrated into the Active Directory environment to deepen their internal access and control.
Notably, researchers observed the attackers harvesting authentication hashes from active SSL VPN sessions. These hashes were then transferred to an offline cracking infrastructure consisting of 45 dedicated GPUs running via Hashtopolis. This approach allowed the threat actors to recover additional credentials without directly interacting with the victims' systems, evading detection. Once inside, they monitored ongoing VPN traffic to harvest newly entered usernames and passwords, creating a self-expanding attack loop.
Which organizations and countries were hardest hit?
The FortiBleed campaign did not target a specific region or sector; it swept across the globe, striking multiple critical industries. Diachenko’s research confirmed compromises at organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey.
The sheer volume of the stolen database reflects the massive impact of this campaign. Leaked credentials involved some of the world's leading enterprises, including Foxconn, Samsung, Siemens, Lenovo, Oracle, PwC, Accenture, and Comcast, alongside thousands of government agencies, public sectors, and critical infrastructure operators. FortiBleed turned edge devices into open gateways for attackers to infiltrate the broader networks of vital global organizations.
What steps should businesses take to defend against FortiBleed?
To mitigate the severe risks posed by FortiBleed, cybersecurity experts recommend that organizations utilizing Fortinet devices immediately implement the following defenses:
Reset all credentials: Change all VPN passwords and administrative accounts on Fortinet devices immediately.
Deploy multi-factor authentication (MFA): Mandate MFA across all remote access gateways to block the unauthorized use of stolen credentials.
Audit access logs: Review Fortinet activity logs to identify anomalies such as logins from unusual locations, unrecognized admin sessions, or sudden traffic spikes.
Restrict administrative interface access: Implement local-in policies to ensure management interfaces are only accessible via trusted IP addresses, and disable FortiCloud SSO if it is not explicitly required.
Solutions to build a “digital shield” for enterprises
Securing edge infrastructure against highly sophisticated campaigns like FortiBleed demands continuous monitoring and rapid response. To fully safeguard your enterprise, IPSIP Vietnam's information security solutions deliver robust vulnerability scanning, access control, and identity protection tools. By integrating advanced cybersecurity monitoring services from IPSIP Vietnam, businesses can detect anomalous login behaviors in real time, shatter the attackers' execution chain at the perimeter, and maintain the absolute integrity of internal data systems.
IPSIP Vietnam's management and monitoring systems have successfully passed the most rigorous audits to achieve top international information security certifications, including ISO 27001:2022 and SOC 2 Type II.
By providing 24/7 non-stop core services - such as the Security Operations Center (SOC), Network Operations Center (NOC), and a dedicated, on-duty IT Support/Helpdesk team - IPSIP commits to directly responding to and intercepting any intrusion attempts, day or night. Partnering with these leading technical minds will help businesses completely eliminate legal and compliance risks, freeing up valuable resources to focus entirely on growth objectives.
References
Comments