





















A massive credential-harvesting campaign targeting FortiGate firewalls has exposed thousands of organizations to potential network compromise, and a trove of attacker tools, scripts, and credentials left inadvertently exposed on a server has given researchers an unusually detailed look at how the operation worked.
Analysts from ZenoX and CloudSEK have pieced together the full attack chain from the FortiBleed leak, revealing a sophisticated, highly automated pipeline that in some cases achieved full domain-level control of victim networks.
The attackers scanned the internet for FortiGate firewalls and SSL VPN gateways with exposed management interfaces, and logged in with previously compromised credentials (from previous Fortinet leaks and infostealer logs) or by brute-forcing them.
They intercepted live authentication traffic passing through the compromised firewall to extract credentials from 24 different protocols, then rented GPU capacity on demand from Vast.ai and orchestrated the cracking of password hashes through a distributed hash-cracking framework, controlled via a Telegram bot. The same bot and GPU pool were used to crack Active Directory and Kerberos hashes for specific corporate targets.
They also added their own administrator accounts on thousands of devices, with names designed not to raise suspicion: forticloud-sync, forticloud-tech, support_fortinet, Technical_support, etc.
From inside the network, they pivoted using OpenFortiVPN client configurations and a toolkit built around the Impacket Python library, which allowed them to originate traffic through the compromised VPN tunnel as if they were a legitimate internal host
They used an automated script to perform full Active Directory audits and password spraying tools to test cracked credentials across SMB shares, as well as a file-spider script that walked network shares recursively, opening scripts and configuration files in search of embedded passwords.
Throughout the operation, the attackers used CyberStrike, a legitimate open-source penetration testing AI agent, to automate reconnaissance, interaction with FortiGate management panels, vulnerability scanning, and OSINT enrichment.
The scale and sophistication of the operation is notable, but the immediate question for most organizations is simpler: are we in the dataset?
SOCRadar and Hudson Rock have made available two free FortiBleed Checkers, to allow organizations to query their domains against the FortiBleed dataset.
There’s also a list of IP addresses associated with devices with known credentials and configuration dumps, courtesy of security researcher Kevin Beaumont.
If your organization is on one of the lists, Beamont’s advice is to disconnect the devices from the internet and rebuild them from scratch (i.e., do a factory reset and reconfigure them from a clean baseline).
It that’s not an option, he advises:
Fortinet also advises checking for signs of lateral movement (new VPN users, unexpected password resets, or VPN from unexpected locations) and, if the device uses Active Directory or LDAP authentication, treating that account as compromised.
“Monitor your AD for its use for authentication elsewhere or the creation of additional accounts and monitor your network for lateral movement,” the company said.
Even organizations that don’t appear in the dataset should treat this as an opportunity to harden their FortiGate posture.
But, they should also:

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。